Overview
What is Veracode?
Veracode is an application security platform that performs five types of analysis; static analysis, dynamic analysis, software composition analysis, interactive application security testing, and penetration testing. Veracode offers on-demand expertise and aims to help companies fix security defects.
Veracode, a great security tool for everyone
we …
Great In-Depth Analysis of In-House Applications
Thorough scanning engine and flexible reporting tools, so-so CI/CD and alerting
Veracode User Experience
Best in Security
Sleep Soundly - Use Veracode
Veracode SAST review
Veracode to the Rescue!
Great products; + Great price.
Worth the investment
Great DAST and Penetration Testing Platform.
Veracode Security far ahead of competitors
Elevating Security Through Automation and Integration
Vericode Use for Companies ERP Product offerings
Awards
Products that are considered exceptional by their customers based on a variety of criteria win TrustRadius awards. Learn more about the types of TrustRadius awards to make the best purchase decision. More about TrustRadius Awards
Reviewer Pros & Cons
Video Reviews
1 video
Pricing
What is Veracode?
Veracode is an application security platform that performs five types of analysis; static analysis, dynamic analysis, software composition analysis, interactive application security testing, and penetration testing. Veracode offers on-demand expertise and aims to help companies fix security defects.
Entry-level set up fee?
- No setup fee
Offerings
- Free Trial
- Free/Freemium Version
- Premium Consulting/Integration Services
Would you like us to let the vendor know that you want pricing?
950 people also want pricing
Alternatives Pricing
What is SonarQube?
SonarQube is a code quality and vulnerability solution for development teams that integrates with CI/CD pipelines to ensure the software you produce is secure, reliable, and maintainable.
What is Indusface WAS?
Indusface Web Application Scanner provides an application security audit to detect a range of high-risk Vulnerabilities, Malware, and Critical CVEs.
Product Details
- About
- Integrations
- Competitors
- Tech Details
- Downloadables
- FAQs
What is Veracode?
Veracode Features
- Supported: Continuous Scanning to reduce risks at every phase of development - Veracode Static Analysis, Dynamic Analysis, Software Composition Analysis, and Manual Penetration Test throughout SDLC.
- Supported: Developer Experience - Finds and fixes laws in line with security integration into where developers work, automated remediation guidance, and in-context learning.
- Supported: Comprehensive Platform Experience - Streamlined governance, risk and compliance processes through flexible policy management, unified reporting and analytics, and peer benchmarking to mitigate risks fast and deliver a successful DevSecOpsprogram.
- Supported: Market Expansion - To meet data residency needs in EU with cloud-native instance built in Frankfurt, Germany on AWS.
- Supported: Contextual Platform Data - Fine-tuned with nearly 2 decades of scanning and customer learning. Predicts future vulnerabilities with self-healing capabilities through applying machine learning and artificial intelligence to the data.
- Supported: Cloud-native SaaS Architecture - Provides elastic scalability, high performance, and lower costs with cloud-native SaaS architecture.
Veracode Screenshots
Veracode Videos
Watch The Veracode Platform
Veracode Integrations
Veracode Competitors
Veracode Technical Details
Deployment Types | Software as a Service (SaaS), Cloud, or Web-Based |
---|---|
Operating Systems | Unspecified |
Mobile Application | No |
Supported Countries | North America, EMEA, APAC, LATAM |
Supported Languages | Java, .NET, PHP, Android, iOS, JavaScript, Python |
Veracode Downloadables
Frequently Asked Questions
Veracode Customer Size Distribution
Consumers | 0% |
---|---|
Small Businesses (1-50 employees) | 18% |
Mid-Size Companies (51-500 employees) | 65% |
Enterprises (more than 500 employees) | 17% |
Comparisons
Compare with
Reviews and Ratings
(199)Attribute Ratings
Reviews
(1-25 of 128)Veracode Is A Best Of Bread Code Analysis Tool
- I like the support given by Veracode, they are very responsive and they help you get things done.
- Veracode has well documented steps for administrating the platform and managing integrations for code scanning.
- Veracode is easy to use and the integration of to code repositories is seemless.
- It would be good if Veracode could find a way to improve how long it takes to complete a scan job. The scan time is usually long compared to other tools in the market.
- Veracode should find a way to give adminstrator the ability to add other administrators to the platform.
- Veracode should invest in devloping more reports that demonstrate trends of flaws vs remediations.
Veracode, a great security tool for everyone
we also have an obligation regarding the fix time and we use the dashboards to keep track of it.
- Integrates with any CI CD tool like Jenkins
- Shows result in a simple way using dashboards
- allows mitigations in a clear manner
- Scans fail if another scan is already in progress using the Java CLI
- Module selection is slow to load when it comes to big applications
- Module selection is sometimes not clear on what is scannable and what is not and why
- remediation actions for SCA issue. you can recommend on how to fix it in a clear way and not forcing the user to click many times to understand it.
Great In-Depth Analysis of In-House Applications
- Veracode's static code analysis platform provides in-depth information as well as very useful suggestions regarding mitigation for flaws it discovers. This is very helpful in assisting developers towards a speedy and complete mitigation.
- Veracode does well to keep connected with their customers, ensuring the success of their customers on their platform is evidently one of their goals which they hold highly. This responsiveness continues into their technical support which is both helpful and fast to respond.
- Veracode continues to update their platforms, their capabilities, and their research often; the promise of continuous improvement from all facets provides value to us as an organization.
- We would like to see Veracode continue to improve the integrations available, particularly with respect to .NET IDEs. Part of our development team uses JetBrains' Rider which is, as of this time, unsupported for static integration.
- We would also like to see Veracode continue to improve their dynamic scan offerings; with the recent addition of DAST Essentials we feel this improvement may come sooner than later.
- PDF & web reports are very well laid out.
- Custom dashboards are very flexible/powerful.
- Flaw remediation suggestions are specific and helpful for most flaws & languages.
- Documentation is clear and detailed.
- Veracode support is excellent.
- Scan times can be long
- Atlassian / Bamboo CICD integration isn't the best
- No alerting functionality when new flaws are found
- No auto rescan functionality
- The web interface is slow
It's probably not as good for smaller companies, where CI/CD is a top priority, or where cost is a concern.
Veracode User Experience
Beside static analysis we use Software Composition Analysis and we found it very helpful in rectifying vulnerabilities from third-party libraries.
- Good integration with Jenkins and Visual Studio.
- Parsing the code well.
- It has good dashboard.
- SCA graphs for transitive dependencies are very useful in identifying the vulnerabilities.
- The main problem is slow speed of the scan - it took 11 weeks in one instance.
- The problem was ongoing for number of months and eventually they managed to slash the running time to one day. However, since than the running time usually takes 2-3 days as the scan always stop during the run.
- While SCA for Java works very well, there are number of issues on the C++ side. It can not recognize the libraries build by default from source code third-party vendors
It has a good performance for the Java static analysis. However, for C++ is very slow.
As well the Software Composition Analysis for C++ code is not yet finished product. It can not recognize libraries build from source code, using the default build method from third-party vendors. That is the case even for libraries that have been in use for number of years.
Best in Security
- SCA
- SAST
- Secure Code Training
- Add more labs in Secure Code Labs.
- Supporting perl would be great.
- Better to have standard deployment for all packages in upload and scan.
Sleep Soundly - Use Veracode
- Thorough static scans
- Quick but deep dynamic scans
- Detailed reports
- Excellent consultants
- Initial user training could be better; it's very confusing at first.
- More online help
- The UI can be confusing if you have a lot of different products.
Veracode SAST review
- Low false positive rate by taking into account context and input sanitization
- List and details of mitigation proposals
- Clear reports and the ability to create your own dashboards
- Some popular dependency managers are not currently supported (e.g. conan, pnpm)
- Analysis of compiled languages requires specific preparation before compilation
SAST is well suited to the analysis of individual commits in non-compiled languages.
New vulnerabilities are added as comments in the pull request.We generate daily compliance analyses by running nightly tasks.
This provides a daily report to the security team and the managers on SAST and SCA.
Flaw mitigation involves every developer in the investigation and proposal.
This helps the owners by reducing their workload and sharing knowledge across squads.
Less appropriate:
Cpp analysis on each commit is not appropriate for our modules, as it takes too long to get results (Caused by unsupported Conan dependency manager).
For public repositories, generated baseline files need to be saved securely to avoid sharing.
Veracode to the Rescue!
- Customer support that won't permit any failures anywhere along the line.
- Regular updates to the platform that supports rapid changes in technology and development practices
- Sets the standard for how AppSec scanners should work
- Sometimes finding the right person to help takes a little time
- Pricing of SAST/SCA scans may scare off some potential customers until they understand that it's worth it.
Great products; + Great price.
- Static Scan
- Dynamic Scan
- Manual PEN testing
- Open source scans with Software Composition Analysis
- Dynamic DAST fails every once in a while and creates problems during release completion.
Worth the investment
- Explains the potential issue well
- Explains a possible solution
- Scans the code quickly so we can start remediation ASAP
- Very user friendly
- Integrate with LLM functions to expand remediation options
Great DAST and Penetration Testing Platform.
- Provides robust readouts on vulnerabilities.
- Allows for detailed or customized reports to fit your organizations or clients needs.
- Remediating findings in the tool is exceptionally easy to understand and execute.
- MPT Results should be segmented from DAST/SAST results.
- MPT Reports should include more information on scoping and testing dates as generally provided by accounting firms conducting similar tests.
- Vulnerability readouts should not be so hidden in the platform (It shouldn't take as many clicks to get to and view).
Veracode Security far ahead of competitors
- IDE Integration
- SCA
- SAST
- Plug-in pipeline
- CI/CD
- Pull requests
Elevating Security Through Automation and Integration
In all, Veracode is a critical tool that helps us remain compliant with our various annual third-party audits.
- Automation
- Software Composition Analysis
- Integrations
- More insight into errors that may be causing an issue when configuring an integration, e.g. Veracode's Jira integration.
- Static Analysis can sometime get 'stuck' when using the Jenkins integration. Days, sometimes weeks can go by before we notice. Have to delete the 'stuck' scan and re-upload.
- Manual Pen Test account management/reminders. I would expect the vendor to reach out and schedule the pen test annually, maybe send a notification/reminder when the date starts getting close, things like that. From my experience it was on me to initiate our MPT.
Vericode Use for Companies ERP Product offerings
- Automated scanning of software libraries for vulnerabilities
- Management of multiple application, statuses and helps on security remediation
- Vericode Verified program to leverage the security investment as competitive advantage
- The time it takes to scan large projects makes it difficult to fit into our CI/CD/pipeline
- One of our app scans times out after 2 hours and we have to upload it and scan manually but there is no visibility the CI system has as to vulnerabilities found
- Integration with older development languages to scan. We have old 4GL based application that is not compatible with the tools
- Monitoring software development infrastructure.
- Prevention of security threats.
- Provision of intelligent security information.
- The features are awesome.
- I have familiarized with al the set features.
- The overall performance is good.
A normal review of Veracode
- Very good customer support
- Visual Studio Add Ons
- Quick responses to questions
- Microsoft ADO pipeline support for other scan features
- Reports that can be generated outside of the website
- Summary of multiple reports at the user level and not administrative level
Veracode For your Code
- Realtime resolution
- Consultation calls
- Detailed report
- Using sourceclr
- for DAST scan
- Linking SCA with SAST should be more clear
Excellent Code Security Scanning Cloud Service
- Static scans
- User Interface
- Results of scans with detailed descriptions of what the issue is and how to potentially fix it
- The time to complete a static scan
Veracode makes your life easy and safe.
- SAST Scan
- SCA
- DAST
- Flagging false positive.
- Linking of SCA and SAST Scan.
- Needed to see an aggregated score for all the modules in an application.
Veracode the proven medium fur security and security awareness.
- To uncover vulnerabilities.
- To get a security awareness in the company.
- to secure our applications as much as possible.
- Good held and explanations for vulnerabilities.
- Good tele consulting in a short time.
- Concrete example implementations for best practices for the flaws and for different programming languages.
Veracode - Save software and superb support!
- Customer Service.
- Easy Usability.
- Well Documentation.
- Details on Documentation.
- Customer Communication for Appointments.
- Double checking the security of our code
- Integrating into our CI/CD process to help us catch and resolve new flaws
- Helping us maintain our compliance
- The documentation could really use some work
- I am skeptical of the thoroughness of the scans on newer languages and frameworks
- The scan takes too long
- The IDE tools leave much to be desired
- Too many false positives
The manual penetration test is very useful to have in addition to the flaw identification algorithm.
Due to the lengthy amount of time it takes to scan, it's not useful for testing every commit.
The Visual Studio extension to not make it easy for developers in day-to-day programming
Veracode helps to improve the security in applications
- SAST analysis in the pipeline it's very quick and helps to identify flaws
- Third party libraries analysis it's effective to review vulnerabilities and recommend a secure version
- Integration in the pipeline with various DevSecops Tools/Platforms
- More coverage in the languages/frameworks
- The crawl script for SAST analysis could be improved to support more functions
- More coverage for different versions of the IDEs
Heathy, bug-free Code brought to you in association with Veracode
- Reporting vulnerabilties
- Static Analysis of code
- Scan all dependencies
- UI experience could be smoother
- Navigation could be better
- Response time could be optimized