- Highest Rating
- Lowest Rating
- Review Length
Gave us much higher quality dynamic scanning with very few false positives and a robust static scanning solution
What is most valuable?Being cloud-based is a huge plus. All of our scans are always using up-to-date scan signatures and rules, and there is nothing for us to maintain. Veracode has been… more»
How has it helped my organization?Veracode's cloud-based approach, coupled with the appliance that lets us use Veracode to scan internal-only web applications, has provided a seamless, always-up-to-date… more»
What needs improvement?We've had one occasion where a sub-product upgrade required action on our part faster than we initially understood it needed to happen. This ended up being relatively… more»
What's my experience with pricing, setup cost, and licensing?For the value we get out of it, coupled with the live defect review sessions, we find it an effective value for the money. We are a larger organization.
Which solution did I use previously and why did I switch?Yes. We used a legacy, heavyweight dynamic scanning product. It would produce hundreds of pages of (mostly) false positives that were nearly impossible to digest and tune… more»
What other advice do I have?Of all the tools vendors I have relationships with, Veracode is simply our best vendor in terms of partnership, value add, and support responsiveness.
Which other solutions did I evaluate?Checkmarx and SonarQube.
May 26 2019
What is most valuable?With Veracode, it's not about features for us. It is about the pricing model that they offer. To be honest, with their vulnerability database, the total amount of false… more»
How has it helped my organization?We are using the Veracode tools to expose the engineers to the security vulnerabilities that were introduced with the new features, i.e. a lot faster or sooner in the… more»
What needs improvement?Veracode owns SourceClear. They bought them in 2017 or 2018, and they still are not fully integrated with the actual Veracode dashboards. Right now, you have to use two… more»
What's my experience with pricing, setup cost, and licensing?They just changed their pricing model two weeks ago. They went from a per-app license to a per-megabyte license. I know that the dynamic scan was $500 per app. Static… more»
Which solution did I use previously and why did I switch?We never did use other products. The reason we started looking into IBM and WhiteSource was because of the hiccups or the speed bumps we were encountering with our… more»
What other advice do I have?If the springboard issue doesn't hold them back and the pricing model stays the same as the one that we have right now for this year with them, it's a good deal. Veracode… more»
Which other solutions did I evaluate?We looked at IBM before we decided to go with Veracode. I've seen the documentation that our director of information security put together. We looked at six different… more»
Nov 19 2018
What is most valuable?* Having the option of static scanning. Most tools of this type are centered around dynamic scanning. Having a static scan is very important. * Utilizing the software as a service. We do the scanning… more»
How has it helped my organization?We are a state agency, we're not a private-sector company. What we're able to do is take our main web-based application, which is not only for internal use but which the citizens of Ohio also use, and… more»
What needs improvement?I attended a meeting of one of the security organizations I am associated with. At the meeting were security professionals from several major retail companies. The topic of discussion happened to be… more»
What's my experience with pricing, setup cost, and licensing?We're always looking to save the taxpayers' money. I used to tell my vendors, sharpen those pencils and make the tip laser-sharp. When it can be, I want it to be less expensive, but you get what you… more»
What other advice do I have?I would absolutely recommend Veracode. I've suggested to one of the larger agencies that they implement the solution and that they come to see what we've experienced and how we use the tool. I really… more»
Which other solutions did I evaluate?The state of Ohio decided to bring AppScan in and that's an IBM tool. IBM became a major vendor in the state of Ohio. But what happened is that AppScan does not offer static code vulnerability… more»
Learn what your peers think about Veracode. Get advice and tips from experienced pros sharing their opinions. Updated: April 2020.
426,653 professionals have used our research since 2012.
Jun 12 2019
How has it helped my organization?We were embracing Veracode as a process in our DevSecOps, although I have not personally used this solution for the past eight months.
What needs improvement?This is not a very elaborate application. I think that the suggestions are between thirty-five and eighty percent accurate, with most cases being about seventy-five percent. Some of them are references where you have to go and determine whether they are direct threats, or not. At the point in time… more»
Which solution did I use previously and why did I switch?I have used multiple tools similar to Veracode that integrate with the IDE.
What other advice do I have?When it comes to DevSecOps, in the industry it is still under adoption. With the advent of the cloud and code being there, or on other public platforms, many people have embraced it or are in the process doing so. My advice for anybody interested in implementing this solution is to be really careful… more»
Jun 19 2019
How has it helped my organization?Technically there is nothing wrong with Veracode. The only issue that we have here is uploading the code, the process of actually uploading and getting our results back. All of that is a little cumbersome.
What needs improvement?Technically there is nothing wrong with Veracode. The only issue that we have is uploading the code, the process of actually uploading and getting our results back. All of that is a little cumbersome. One of the things that we have from a reporting point of view, is that we would love to see a graphical report. If you look through a report for something that has come back from Veracode, it takes a… more»
What other advice do I have?I would strongly recommend doing an internal analysis first, before setting it across to Veracode to proceed and to use it more as a final verification point. My point is that Veracode is very good, and I would strongly recommend it. I have seen other solutions on the market and that's why I say: don't waste your time on other products, just get Veracode. I would rate it an eight out of ten. Not a… more»
Jun 02 2020
Increased productivity, helped build and improve security and development departmental relationships
What is most valuable?Greenlight - Developers can test their code before they commit. They are able to privately scan their code and correct any mistakes before it is committed into the build and scanned with the other components. SAST - During a build process… more»
How has it helped my organization?Veracode has improved our Application Security program by providing numerous integrations and tools to take our AppSec/DevSecOps to the next level. Integrations into our developer's IDE (Greenlight) and the DevOps Pipeline SAST /… more»
What needs improvement?Improve Mobile Application Dynamic Scanning DAST - .ipa and .apk. Right now I have to jailbreak an iPhone and Root an Android to intercept and fuzz requests with a Burp Suite Proxy. That is a very time-consuming process and there are lots… more»
Which solution did I use previously and why did I switch?Previously used Burp Suite, OWASP Zed Attack Proxy, Python scripts / Powershell and Batch, Retire.JS, Vulners, and Wappalyzer browser plugins.
Which other solutions did I evaluate?We also evaluated WhiteHat Security.
Nov 19 2018
What is most valuable?It has an easy-to-use interface.
How has it helped my organization?It gives us more confidence in the application security of the products we scan. We use it as part of our AppSec best practices.
What needs improvement?We would like a way to mark entire modules as "safe." The lack of this feature hasn't stopped us previously, it just makes our task more tedious at times. That kind of… more»
What's my experience with pricing, setup cost, and licensing?No issues, the pricing seems reasonable.
Which solution did I use previously and why did I switch?We had no previous solution. Our choice of Veracode was due to Veracode being a customer and requiring that we use their tool to scan our solution.
What other advice do I have?Be aware that the first run will find a lot of issues, many of which are not real issues; it will take time to understand that. Don't change object names as that will… more»
Which other solutions did I evaluate?We evaluated no other products for SAST when we started using Veracode.
Jun 12 2019
What is most valuable?The most valuable feature comes from the fact that it is cloud-based, and I can scale up without having to worry about any other infrastructure needs.
What needs improvement?This solution does a good job, but it is limited to only a few technologies. I would like to see expanded coverage for supporting more platforms, frameworks, and languages. Specifically, I would like… more»
What's my experience with pricing, setup cost, and licensing?This solution is on the pricey side. They have just streamlined the licensing and they have a number of flexible options available, so overall it is quite good, albeit pricey.
Which solution did I use previously and why did I switch?We did not use another solution prior to this one.
What other advice do I have?My advice for anybody who is interested in implementing this solution is to ensure that your technology is actually supported because the coverage is quite patchy. It is possible that if you use a… more»
Which other solutions did I evaluate?We evaluated other options, but we chose Veracode.
Dec 18 2018
What is most valuable?The identification of flaws.
How has it helped my organization?* The volume of unmitigated flaws in our applications has been substantially reduced. * In terms of AppSec best practices, the team at Veracode has provided industry benchmarks against which we are measuring our improvement. * Our customers… more»
What needs improvement?We would like to see improvement in reporting, in particular, end dates on mitigations.
What's my experience with pricing, setup cost, and licensing?We are about to enter discussions for renewal. I have heard there may be some changes to pricing. I will reserve judgment until the discussions are complete.
What other advice do I have?I would recommend it. It covers all our custom-developed applications and will expand as new applications and services are added. We have 50-plus users of Veracode. Their roles include InfoSec, developers, development managers, QA, and… more»
See 5 More Veracode Reviews
User Assessments By Topic About Veracode
Read Archived Reviews
What is Veracode?
Veracode covers all your Application Security needs in one solution through a combination of five analysis types; static analysis, dynamic analysis, software composition analysis, interactive application security testing, and penetration testing. Unlike on-premise solutions that are hard to scale and focused on finding rather than fixing, Veracode comprises a unique combination of SaaS technology and on-demand expertise that enables DevSecOps through integration with your pipeline, and empowers developers to find and fix security defects.
State of Missouri, Rekner
We use Veracode static analysis during development to eliminate vulnerability issues
I have found the user interface extremely helpful in prioritizing issues.
It has almost completely eliminated the presence of SQLi vulnerabilities.
It gives feedback to developers on the effectiveness of their secure coding practices.
Veracode provides faster scans compared to other static analysis security testing tools.
It has an easy-to-use interface.
See more »
One of the valuable features is that it gives us the option of static scanning. Most tools of this type are centered around dynamic scanning. Having a static scan is very important.