What is Veracode?
Veracode covers all your Application Security needs in one solution through a combination of five analysis types; static analysis, dynamic analysis, software composition analysis, interactive application security testing, and penetration testing. Unlike on-premise solutions that are hard to scale and focused on finding rather than fixing, Veracode comprises a unique combination of SaaS technology and on-demand expertise that enables DevSecOps through integration with your pipeline, and empowers developers to find and fix security defects.
Veracode Buyer's Guide
Download the Veracode Buyer's Guide including reviews and more. Updated: February 2021
State of Missouri, Rekner
What users are saying about Veracode pricing:
- "For the value we get out of it, coupled with the live defect review sessions, we find it an effective value for the money. We are a larger organization."
- "Veracode is expensive. Some of its products are expensive. I don't think it's way more expensive than its competitors. The dynamic is definitely worth it, as I think it's cheaper than the competitors. The static scan is a little bit more expensive, around 20 percent more expensive. The manual pen test is more expensive, but it is an expensive service because it's a manual pen test and we also do retests. I don't think it is way more expensive than the competitors, but it's about 15 to 20 percent more expensive."
- "The pricing is really fair compared to a lot of other tools on the market."
- "Veracode is one of the more expensive solutions in the market, but it is worth the expense because of the eLearning and the security consultations; everything is included in the license."
- "It is very reasonably priced compared to what we were paying our previous vendor. For the same price, we are getting much more value and reducing our AppSec costs from 40 to 50 percent."
- "They just changed their pricing model two weeks ago. They went from a per-app license to a per-megabyte license. I know that the dynamic scan was $500 per app. Static analysis was about $4500 yearly. The license is only for the number of users, it doesn't matter what data you put in there. That was the old model. I do not know how the new model works."
- "If I compare the pricing with other software tools, then it is quite competitive. Whatever the price is, they have always given us a good discount."
- Highest Rating
- Lowest Rating
- Review Length
Showingreviews based on the current filters.
Sr. Security Architect at a financial services firm with 10,001+ employees
Jun 4, 2020
Gave us much higher quality dynamic scanning with very few false positives and a robust static scanning solution
What is our primary use case?We are using Dynamic Application Security Testing (DAST), Static Application Security Testing (SAST), and Static Component Analysis (SCA). We use different types of scanning across numerous applications. We also use Greenlight IDE integration. We are scanning external web applications, internal web applications, and mobile applications with various types/combinations of scanning. We use this both to improve our application security as well as achieve compliance with various compliance bodies that require code scanning.
Pros and Cons
- "Veracode's cloud-based approach, coupled with the appliance that lets us use Veracode to scan internal-only web applications, has provided a seamless, always-up-to-date application security scanning solution."
- "One feature I would like would be more selectivity in email alerts. While I like getting these, I would like to be able to be more granular in which ones I receive."
What other advice do I have?Of all the tools vendors I have relationships with, Veracode is simply our best vendor in terms of partnership, value add, and support responsiveness.
Real UserTop 10
Dec 9, 2020
Prevents vulnerable code from going into production, but the user interface is dated and needs considerable work
What is our primary use case?The use case is that we have quite a few projects on GitHub. As we are a consulting company, some of these projects are open source and others are enterprise and private. We do security investigating for these projects. We scan the repository for both the static analysis—to find things that might be dangerous—and we use the Software Composition Analysis as well. We get notifications when we are using some open source library that has a known vulnerability and we have to upgrade it. We can plan accordingly. We are using the software as a service.
Pros and Cons
- "Veracode has plenty of data. The problem is the information on the dashboards of Veracode, as the user interface is not great. It's not immediately usable. Most of the time, the best way to use it is to just create issues and put them in JIRA... But if I were a startup, and only had products with a good user interface, I wouldn't use Veracode because the UI is very dated."
- "Another problem we have is that, while it is integrated with single sign-on—we are using Okta—the user interface is not great. That's especially true for a permanent link of a report of a page. If you access it, it goes to the normal login page that has nothing that says "Log in with single sign-on," unlike other software as a service that we use. It's quite bothersome because it means that we have to go to the Okta dashboard, find the Veracode link, and log in through it. Only at that point can we go to the permanent link of the page we wanted to access."
What other advice do I have?Usually, we open tickets now using the JIRA/GitHub integration and then we plan them. We decide when we want to fix them and we assign them to developers, mostly because there are some projects that are a little bit more on the legacy side. Changing the version of the library is not easy as in the newer projects, in terms of testing. So we do some planning. But in general, we open tickets and we plan them. We also have it integrated in the pipelines, but that's really just to report. It's a little bit annoying that the pipeline might break because of security issues. It's good to know, but the…
Information Assurance Manager at xMatters
Real UserTop 20
Dec 1, 2020
Centralized view shows the status of all scans, and if I want more information about something, it's one click away
What is our primary use case?We have three use cases. We have the dynamic scans that we use to scan the production, public-facing URLs. We also use the static scan where we work with the Dev team and scan the code base for the web application and the mobile application on both iOS and Android. Our third use case is manual penetration tests, which my team manages. We do annual manual penetration tests. It's deployed to our platform infrastructure, which is in a public cloud.
Pros and Cons
- "In terms of secure development, the SAST scan is very useful because we are able to identify security flaws in the code base itself, for the application."
- "Their dashboard is really good, overall. In my opinion, it's one of the best in the market, and I say that because we have used other service providers."
- "The feature that allows me to read which mitigation answer was submitted, and to approve it, requires me to use do so in different screens. That makes it a little bit more complicated because I have to read and then I have to go back and make sure it falls under the same number ID number. That part is a little bit complicated from my perspective, because that's what I use the most."
What other advice do I have?I can give advice to other managers. If they are willing to properly manage, but they don't have the time or the bandwidth to actually operate, it's a very good tool. It's easy to get access to information and it's easy to understand what's going on with your application without much of a burden. You don't have to waste a lot of time trying to understand a complicated report. Everything is accessible. And the amount of information that Veracode gives based on the flaws is very straightforward and makes it easy for the Dev team to fix them. I would rate it at eight out of 10. The tool itself is…
Learn what your peers think about Veracode. Get advice and tips from experienced pros sharing their opinions. Updated: February 2021.
464,857 professionals have used our research since 2012.
Head Of Information Security at a media company with 51-200 employees
Dec 9, 2020
I used a lot of the findings to put pressure on our vendors to try to improve their security postures
What is our primary use case?We use Veracode for static analysis of source code as well as some dynamic analysis.
Pros and Cons
- "The most valuable features are that you can do static analysis and dynamic analysis on a scheduled basis and that you can push the findings into JIRA."
- "The policies you have, where you can tune the findings you get, don't allow you not to file tickets about certain findings. It will always report the findings, even if you know you're not that concerned about a library writing to a system log, for example. It will keep raising them, even though you may have a ticket about it. The integration will keep updating the ticket every time the scan runs."
What other advice do I have?My advice would be to definitely have some code that has a lot of security defects embedded into it and to run it through the scanner to test it early on in the process, ideally during the evaluation process. If your company works in five programming languages, you would want to create some code in each of those languages, code that has a lot of security defects, and then run the scanner over it to just make sure it can catch the security vulnerabilities you need it to catch and that it's consistent with how it raises those vulnerabilities. Veracode provides guidance for fixing vulnerabilities…
Srinivasa Rao Kuruba
Manager, Information Technology at Broadcom Corporation
Real UserTop 20
Dec 20, 2020
Our teams get a list of all vulnerabilities and incorporate fixes, ensuring that these issues do not happen in future code
What is our primary use case?Veracode has both static application security testing as well as dynamic application security testing, also called Dynamic Analysis. Our primary use case was on the static analysis side, not on the dynamic, because we have an automated tool in the dynamic analysis scope. So our primary use was static analysis security testing.
Pros and Cons
- "It is SaaS hosted. That makes it very convenient to use. There is no initial time needed to set up an application. Scanning is a matter of minutes. You just log in, create an application profile, associate a security configuration, and that's about it. It takes 10 minutes to start. The lack of initial lead time or initial overhead to get going is the primary advantage."
- "When it comes to the speed of the pipeline scan, one of the things we have found with Veracode is that it's very fast with Java-based applications but a bit slow with C/C++ based applications. So we have implemented the pipeline scan only for Java-based applications not for the C/C++ applications."
Principal for the Application Security Program and Access Control at a engineering company with 10,001+ employees
Dec 16, 2020
The time savings has been tremendous, but the UI is too slow and its user experience has much to be desired
What is our primary use case?We use it for dynamic scanning and Static Code Analysis as well as for Software Composition Analysis (SCA). We do use this solution's support for cloud-native applications.
Pros and Cons
- "The time savings has been tremendous. We saw ROI in the first six months."
- "There is much to be desired of UI and user experience. The UI is very slow. With every click, it just takes a lot of time for the pages to load. We have seen this consistently since getting this solution. The UI and UX are very disjointed."
What other advice do I have?It is good for third-party scanning and if your code base is all modern web frameworks. It is also great for the third-party analysis. However, the Software Composition Analysis is not good if you have C++ code or anything legacy, as it does not cover that. It also does not cover iOS code. It has a lot of constraints. The solution’s policy reporting for ensuring compliance with industry standards and regulations is fine. We are using it for internal reporting, but we haven't really dug into the policy definitions and tweaking them. We are using its default policies. As part of our validation…
Engineering Security Manager at Nextiva
May 26, 2019
Offers everything for both static code analysis and dynamic code analysis
What is our primary use case?Our primary use case of this solution is for static and dynamic analysis along with the source gear for the third party dependency (not IDM). We were looking into actually moving towards IDM, but that's the extent of my knowledge. They are licensed as two separate products. They're part of the same platform, but they are licensed separately. We have Veracode, Veracode Developer Training, Veracode Software Composition Analysis, and SourceClear. SourceClear and SCA are pretty much the same. They just support different languages. Veracode as a whole, the top option, is the one that includes… more »
Pros and Cons
- "We are using the Veracode tools to expose the engineers to the security vulnerabilities that were introduced with the new features, i.e. a lot faster or sooner in the development life cycle."
- "Veracode should make it easier to navigate between the solutions that they offer, i.e. between dynamic, static, and the source code analysis."
What other advice do I have?If the springboard issue doesn't hold them back and the pricing model stays the same as the one that we have right now for this year with them, it's a good deal. Veracode is pretty straightforward to use and the support is really good. We don't have a lot of complaints about that. I don't know how the pricing model is going to change the actual price of the application. On a per license basis, Veracode has a very lucrative way of doing business. I don't think a big company that has a lot of services and applications would enjoy paying upwards of $200,000 per year to scan all their code…
Product Owner - DevOps at Digite
Real UserTop 20
Nov 23, 2020
The centralized view of different testing types helps reduce our risk exposure
What is our primary use case?We use Veracode primarily for three purposes: * Static Analysis, which is integrated into our CI/CD pipeline, using APIs. * Every release gets certified for a static code analysis and dynamic code analysis. There is a UAT server, where it gets deployed with the latest release, then we perform the dynamic code scanning on that particular URL. * Software Composition Analysis: We use this periodically to understand the software composition from an open source licensing and open source component vulnerability perspective.
Pros and Cons
- "The centralized view of different testing types helps reduce our risk exposure. The development teams have the freedom to choose their own libraries and languages. What happens is sometimes developers feel like a particular library is okay to use, then they will start using it, developing some functionality around it. However, as per our mandate, for every new repository that gets added and scanned, a report gets published. Based on that report, we decide if we can continue. In the past, we have found, by mistake, some developers have used copyleft licenses, which are a bit risky to use. We immediately replace these with more permissive, open-source licenses, so we are safe in the end."
- "If the dynamic scan is improved, then the speed might go up. That is somehow not happening. We have raised this concern. It might also help if they could time limit scans to 24 hours instead of letting them go for three days. Then, whatever results could be shared, even if the scan is not complete, that would definitely help us."
What other advice do I have?I'm pretty confident about Veracode's ability to prevent vulnerable code from going into production when I'm using it. When you use Veracode, instead of using it as a manual tool, you should integrate it into your CI/CD pipeline. This way, every build is certified. Then, if there is an issue, you will know about it earlier in the development cycle, not later. Because as the time passes, it becomes more difficult to fix that issue. With Veracode's support for cloud-native applications, there are some components of our application (which are cloud-native), that we treat in the same way as…
Cybersecurity Expert at PSYND
Real UserTop 20
Dec 17, 2020
Visibility into application status across all testing types in a single dashboard helps us control everything we do
What is our primary use case?We use both the static and the dynamic scanning. What we do is run the code through the scanner once we make any modifications. And periodically, we also run the dynamic to connect several applications. We use Veracode to check for specific vulnerabilities such as cross-site scripting. When we are checking for those vulnerabilities, we take a portion of code that is going to be generated and we run the scanner.
Pros and Cons
- "Another feature of Veracode is that they provide e-learning, but the e-learning is not basic, rather it is quite advanced... in the e-learning you can check into best practices for developing code and how to prevent improper management of some component of the code that could lead to a vulnerability. The e-learning that Veracode provides is an extremely good tool."
- "Sometimes the scans are not done quickly, but the solutions that it provides are really good. The quality is high, but the analysis is not done extremely quickly."
What other advice do I have?We were skeptical about running scans with a cloud-based solution, but then we saw the benefits. Everything is up to date without us having to lift a finger. We know we don't have to take care of maintenance. Also, if you work in the domain of medical devices, payment methods, or other things that are related to privacy, Veracode provides all these modules. This is a big advantage. Sometimes the scans are not done quickly, but the solutions that it provides are really good. The quality is high, but the analysis is not done extremely quickly. False positives are not a main problem. The platform…
See 12 more Veracode Reviews
Download our free Veracode Report and get advice and tips from experienced pros sharing their opinions.
- Penetration Testing
- Code Analysis
- Primary Use Case
- Valuable Features
- Room for Improvement
- What is the biggest difference between Veracode and Checkmarx?
- Would you recommend Veracode? What are some of your use cases?
- Checkmarx vs SonarQube; SonarQube interoperability with Checkmarx or Veracode
- When evaluating Application Security, what aspect do you think is the most important to look for?
- What are the threats associated with using ‘bogus’ cybersecurity tools?
- How was the 2020 Twitter Hack carried out? How could it have been prevented?
- Is SonarQube the best tool for static analysis?
- SAST vs. DAST: Which is better for application security testing?
- What are the OWASP top 10 in 2020?