Veracode Software Composition Analysis Overview

Veracode Software Composition Analysis is the #7 ranked solution in our list of top Software Composition Analysis (SCA) tools. It is most often compared to Black Duck: Veracode Software Composition Analysis vs Black Duck

What is Veracode Software Composition Analysis?

Veracode Software Composition detects open source vulnerabilities in the software development process with higher accuracy. Veracode SCA reduces false positives by prioritizing vulnerabilities in the execution path of the application. Its proprietary database contains significantly more vulnerabilities than the NVD because it datamines pull requests, bug reports, and release notes. It also looks for vulnerabilities in dependencies several layers deep. Veracode SCA is part of a comprehensive DevSecOps solution that covers multiple assessment types, enables developers, and helps organizations achieve AppSec governance.

Veracode Software Composition Analysis is also known as Veracode SCA, SourceClear.

Veracode Software Composition Analysis Buyer's Guide

Download the Veracode Software Composition Analysis Buyer's Guide including reviews and more. Updated: May 2021

Veracode Software Composition Analysis Customers

Blue Prism, Advantasure, Automation Anywhere, Cox Automotive

Veracode Software Composition Analysis Video

Pricing Advice

What users are saying about Veracode Software Composition Analysis pricing:
  • "Compared to other similar products, the licensing and pricing are definitely competitive. If you see Checkmarx as the market leader, then we are talking about Veracode being a fraction of the cost. You also have to consider your hidden costs: you need a team to maintain it, a server, and resources. From that point of view, Veracode is great because the cost is really a fraction of many competitors."
  • "The Veracode price model is based on application profiles, which is how you package your components for scanning."
  • "Without getting too specific, I'd say the average yearly cost is around $50,000. The costs include licensing and maintenance support."

Filter Reviews

Filter by:
Filter Reviews
Industry
Loading...
Filter Unavailable
Company Size
Loading...
Filter Unavailable
Job Level
Loading...
Filter Unavailable
Rating
Loading...
Filter Unavailable
Considered
Loading...
Filter Unavailable
Order by:
Loading...
  • Date
  • Highest Rating
  • Lowest Rating
  • Review Length
Search:
Showingreviews based on the current filters. Reset all filters
AB
Principle Consultant at a tech services company with 11-50 employees
Consultant
Top 10
Provides extensive guidance for writing secure code and pointing to vulnerable open source libraries

What is our primary use case?

Software Composition Analysis (SCA) is used to detect vulnerabilities in open source libraries, which are used by our customers for their own product. We are a consulting company who provides consulting services to clients. We don't buy the software for our own internal use. However, we advise customers about which solutions will fit their environment. Most of our clients use SCA for cloud applications.

Pros and Cons

  • "Within SCA, there is an extremely valuable feature called vulnerable methods. It is able to determine within a vulnerable library which methods are vulnerable. That is very valuable, because in the vast majority of cases where a library is vulnerable, none of the vulnerable methods are actually used by the code. So, if we want to prioritize the way open source libraries are updated when a library is found vulnerable, then we want to prioritize the libraries which have vulnerable methods used within the code."
  • "Veracode has a few shortcomings in terms of how they handle certain components of the UI. For example, in the case of the false positive, it would be highly desirable if the false positive don't show up again on the UI, instead still showing up for any subsequent scan as a false positive. There is a little bit of cluttering that could be avoided."

What other advice do I have?

I don't think that Veracode has helped developers with security training, but it helps developers have a reality check on the code that they write and their open source library. That is the best value that developers can get from the product. Veracode products can be run as part of the development pipeline. That is also valuable. It integrates with tools like GitHub or Jenkins. At a high level, it does integrate with most of the pipeline of tools. It would be a showstopper if the incorporation of security was not in the developer workflows. We are past a time when developers or software…
CG
Enterprise Architect, VP at a financial services firm with 501-1,000 employees
Real User
Enables us to identify potential problems in applications and fix them before they are used in ways they should not be but has false positives

What is our primary use case?

The primary use case for us was looking for web applications that might have vulnerabilities that could be compromised. Specifically, I was managing a team and we had built a lot of applications as well as having purchased applications from vendors. We were working with a security team to go through and scan those applications for vulnerability using Software Composition Analysis. We were trying to avoid situations where somebody could do something that they should not be able to do like get at data.

Pros and Cons

  • "This is a great tool for learning about potential vulnerabilities in code."
  • "There were some additional manual steps or work involved that we should not have needed to do."

What other advice do I have?

The advice that I would have for people who are new to the product would be to start with a proof of concept. This will help you to see how the product works with your process and people. The biggest lesson I have learned from using this solution is that it definitely increased my education on how to prevent application vulnerabilities earlier on and how not to repeat them. It also helped me as a manager to better understand how to guide and coach people. On a scale from one to ten where one the worst and ten is the best, I would rate this product probably as a seven, if I am going back in…
Learn what your peers think about Veracode Software Composition Analysis. Get advice and tips from experienced pros sharing their opinions. Updated: May 2021.
509,570 professionals have used our research since 2012.
Lead Cyber Security engineer at a manufacturing company with 10,001+ employees
Real User
Top 5Leaderboard
Flexible solution with an easy way to run a scan

What is our primary use case?

In India, we have a digital development center. I'm from the security team. There are teams who develop all the applications for security features and coding security analysis. We use the Veracode Static Analysis for all projects and applications within our organization.

Pros and Cons

  • "There have been a lot of benefits gained from Veracode. Compared to other tools, Veracode has good flexibility with an easy way to run a scan. We get in-depth details on how to fix things and go through the process. They provide good process documents, community, and consultation for any issues that occur during the use of Veracode."
  • "The scanning could be improved, because some scans take a bit of time."

What other advice do I have?

I can be confident about more of our applications in production. We can be more confident against many kinds of external threats. The lesson learnt is about being proactive, which is a good thing in security. Veracode integrates with our developer tool 95 percent of the time. It is supported very well because developers get to know why the security features are really important in any organization or application along with what they develop. They get to know the market standards of what the security threats are and how to fix them, making sure the coding or the applications are secure enough…
Senior Director, Quality Engineering at a tech services company with 1,001-5,000 employees
Real User
Top 5Leaderboard
Good scan performance and visualization facilitates compliance and improves code quality

What is our primary use case?

We introduced SCA scanning to satisfy customer-requested open-source library scans as part of a contractional agreement. This led to expanding SCA scanning across our other applications to compliment SAST/DAST application scanning. We knew we had a technical debt from not updating open-source libraries for years, and were not aware of the vulnerabilities in these libraries at the time. SCA scanning is now a first-class scan component of our current practices and included in our external security audits going forward.

Pros and Cons

  • "The dependency graph visualization provides the ability to see nested dependencies within libraries for pinpointing vulnerabilities."
  • "Improving sorting through findings reports to filter by only what is critically relevant will help developers focus on issues."

What other advice do I have?

Veracode has evolved to be a good partner, overall, in working through our learning needs and problem escalations. There are layers of training and consultation available, as well as recurring support engagements if the enterprise scanning needs warrant it.
HJ
Sr Director at a non-profit with 51-200 employees
Real User
Stable with good technical support and a moderately easy implementation process

What is our primary use case?

The primary use case was scanning a single-digit number of applications. We scanned them about twice a year and that's about it. It was just to get the results. We used the results to gauge our security health.

Pros and Cons

  • "The solution is stable. we've never had any issues surrounding its stability."
  • "The cost of the solution is a little bit expensive. Expensive in the sense that there was a hundred percent increase in cost from last year to this year, which is certainly not justified."

What other advice do I have?

I handle software composition analysis. Currently, I'm moving away from Veracode. I don't know which version of the solution I am using currently. It's not quite the most up-to-date version. If a company is looking for a long-term partner, and not just a transactional solution, I'd suggest a different company. I'd rate the solution eight out of ten.
Enterprise Architect at a computer software company with 1-10 employees
Real User
Excellent article scanning, good data support and great analysis

What is our primary use case?

We primarily use the solution for article scanning.

Pros and Cons

  • "The article scanning is excellent."
  • "The documentation is poor and the technical support isn't helpful."

What other advice do I have?

We were part of the initiation when the company started. They introduced it and we began using the solution. We're just a customer. For those companies hoping to automate the solution, I would not recommend it. It's too difficult for those heavily dependant on automation. However, for those companies who want to manually use it, I can recommend the solution. In those cases, it's easy to use even if you won't build it as a part of your automation test tools or on any internet server. I'd rate them eight out of ten. I'd rate them higher, but they have bad automation and terrible documentation…
AC
Associate Consultant at a comms service provider with 201-500 employees
Consultant
Efficient at finding vulnerabilities but the number of false positives should be reduced

What is our primary use case?

I am a consultant and SourceClear is one of the solutions that I use to provide services. This solution is used by people who want to verify the security of their own applications.

What is most valuable?

The most valuable feature is the efficiency of the tool in finding vulnerabilities.

What needs improvement?

A high number of false positives are reported and this should be reduced.

For how long have I used the solution?

I have been using SourceClear for about a year and a half.

What do I think about the stability of the solution?

This is a stable solution.

What do I think about the scalability of the solution?

We have no complaints about scalability. We have between 200 and 300 clients.

How are customer service and technical support?

RN
Senior Technical Architect at a tech services company with 51-200 employees
Real User
Top 20
Easy to set up and it helps ensure that our code is secure

What is our primary use case?

We use Veracode to ensure that the software we are building is secure.

What is most valuable?

The most valuable feature is the dynamic application security testing.

What needs improvement?

It takes a while to get a response to the software composition analysis. It is within an acceptable range but it could still be improved. In the future, I would like to see the RASP capability built-in.

For how long have I used the solution?

We have been using Veracode SCA for three months.

What do I think about the stability of the solution?

SCA is pretty stable.

What do I think about the scalability of the solution?

Scalability doesn't really apply to a software composition analysis tool.

How are customer service and technical support?

The…