Veracode: A Continuous Software Security Platform

I have experience with Veracode , as I did download it, and our cyber team manages that. I've used Veracode  for quite some time, more from a user perspective, not really as an admin person to run the scans. I share my role with Veracode by normally receiving the results and then analyzing them from there, as I was looking for options.

My impressions of Veracode's best features indicate that it doesn't have what I need. It's hard to integrate and perform hybrid analysis mapping. The threat modeling components aren't detailed enough. The deciphering of the results is challenging as they're hidden, making it difficult for a non-security user or normal IT developer to understand it.

We have about 100 to 200 licenses, with a very big portfolio of 500 systems, and people still don't understand it. Training 7,000 developers isn't feasible. We had training with Veracode where they conducted a major session, but nobody understood it. These developers can't be expected to remediate and configure the tool properly for comprehensive scanning. Instead, they turn everything off and only scan a very small line of code, which doesn't benefit the agency.

I wouldn't promote Veracode because it's not automated enough, and it has many configuration issues. Manual configuration is required, requiring expertise in Veracode. My thoughts on Veracode's development over time are that they have had sufficient time to figure it out, and I'm disappointed that it remains such a technical tool. It's a tool that everybody purchased when it was released, but it still isn't user-friendly.

I've used Veracode for quite some time, more from a user perspective, not really as an admin person to run the scans.

I would rate Veracode's customer service or technical support as not great, probably a four out of ten. Anytime we use the advisory to speak with an advisor, they are either too technical or have no understanding. We have a weekly meeting with Veracode because we have our own business relationship manager. He attends the calls without a technical person or lead architect to facilitate questions. When 40 people are on a call asking questions about turning off the API or fixing issues, the response is often that they cannot answer. The service is either a hit or miss, which is why I rank it low.

Positive

I wouldn't be inclined to take a 10-minute callback to discuss my experience with Veracode because I don't prefer it, so I don't think it would be a very good review. I'm looking to replace it.

My impressions of Veracode's policy reporting for compliance with industry standards and regulations are hit or miss. While it has industry standards built in, our organization has different policies that are more structured. Each policy must be set up individually, requiring comprehensive legwork.

For example, if there's a policy for a deprecated protocol in an internal-only system, Veracode still reports it as an issue. This creates unnecessary work for internal systems that aren't public-facing and have lower risk. Configuring the tool to align with policies for sensitive, public-facing systems based on law and NIST requirements requires reviewing each line individually, which becomes a two-year project.

My impressions of Veracode's ability to prevent vulnerable code from going into production is that the static code analyzer portion is adequate.

On a scale of 1-10, this solution rates a 5.

We use the scan and code scanning functionality. Those are the main ones. I just changed my role, so this company is using Veracode , but I've been using it for quite some time before joining this new company. It is currently only managing the source code review. We have other tools that we integrate as such as infrastructure as code, container security, cloud misconfiguration reviews, and others. So it's part of the overall security posture. I can't say that it's solely for our entire security posture because it just manages a subset of one of the security requirements, which is the source code review.

It has met the company's requirements. Nowadays, we are talking about AI code generation. The company is required to leverage the existing code scan to see whether it can support scanning the code that is generated from GenAI before pushing that code to the developers. The developer wouldn't know whether this code is secure or not. Usually, we do the static scan first, but now with a code generator, we want to ensure that it generates secure code.

It did the job. Just before production, we did a scan and ensured that there were no critical or high-criticality issues before going to production. I think that helps to sanitize the code without going into a peer review. We have an automatic scan that catches all these things first, so it's beneficial.

This is especially true for the library because most of these static code scans or software component analyses scan the third-party library that has a CVE or CVSS finding. But if it's a custom-built library that isn't known to the public, it's unclear whether there's a vulnerability or not. Currently, it lacks the ability to trigger on those. We probably have to use a different solution for that.

There should be a feature where we can actually scan code that has been generated by GenAI, such as ChatGPT  or Copilot. When they generate this code, they should have some kind of third-party integration feature that can suggest to us, 'This code is clean' or 'this code is good to be used for the developer.' 

We are also looking at Black Duck . They introduced a new feature. We were testing on this secure code for AI, so they do have some tools that we are currently exploring to see whether they can do secure AI code.

Regarding remediation, based on my experience, the recommendation from Veracode  on remediation is quite helpful. It gives valid reasoning, and the recommendation is fixed. 

The developers actually understand how to fix that. However, some of the recommendations, such as upgrading a certain library to version XYZ, sometimes don't go deeper because some of these libraries are not as simple as just changing the version to fix them. There are interdependencies with other third-party components. 

Sometimes, when the recommendation asks to upgrade the version to XYZ, when we actually upgrade it, there will be another issue with other things. We usually face difficulty with that one. Sometimes we take an exemption because we can't upgrade this without breaking certain things, so we decide to go for the risk exception.

I just changed my role, so this company is using Veracode, but I've been using it for quite some time before joining this new company.

The stability is acceptable overall.

I didn't get involved much with asking them questions. During the initial phase when we started integrating, they were very helpful, but after they deployed the license and everything, we haven't reached out to them to ask any other questions. It's gone into autopilot. Once you have the license, everything just continues as it is.

In my last company, they used Veracode, and then they transitioned to Snyk . The price point was the first priority we looked at. Secondly was the integration—whether it had deeper integration with our system, and was easy for our developers to enroll and use. After a trial of 12 months with Veracode, we decided to move to Snyk .

Previously, we did a comparison between Veracode, Synopsys (which is Black Duck ), and Snyk. We did our own internal review. Veracode needs to shift to a more modern approach because it still feels traditional in its way of doing code scanning compared with others, such as Snyk. They still use a base app, although they have a web version as well, but the integration part could be more seamless. I'm comparing it side-by-side with Snyk, as I'm also a heavy user of Snyk. Those aspects can be improved.

The integrated IDE  tool enables users to get instant feedback in real-time on the code itself, rather than waiting for it to go through the CI/CD pipeline and get the result. They can instantly review their code on demand, which is quite beneficial.

For my previous company, when they first adopted source code review, they went for the open-source option first. I always advocate for people to go with the open-source option to understand what the features are and how exactly the source code scanning looks. Once comfortable with it, or if certain features are needed, then look for the enterprise version. Sometimes for different companies, especially small businesses, they couldn't afford Veracode because of the steep price.

Regarding integration, apps such as Jira  and Confluence  are important. The main thing was that it's fully and deeply integrated with the user and the repository, like Confluence . Every  time there's a report, we can immediately generate a ticket from Snyk to Jira . It helps the developer get notified about issues after the scan. Then they fix the issue, tag the ticket as resolved, and once it's marked as resolved, we will do the rescan.

As a beginner, the interface is quite straightforward. People will not get confused. The technical report is professional and can be used by regulators. I can simply export it as a PDF and then share it with a regulator or any auditor for their review.

Regarding mobile code support, such as iOS, Kotlin, and others, the results were not really promising. For Java and C#, it's very good. They are pioneers in that. But for mobile development, if you're a mobile company that builds mobile apps and you have iOS, Objective-C, Swift, and Kotlin, that area needs to be polished.

I rate Veracode a seven out of ten.

We have used Veracode only for third-party libraries until now. We have automated that and have onboarded the Dev team to directly scan from their pipeline. We have integrated the CI/CD in that way. We try to see whether the third-party libraries they have been using are safe versions, and if not, we are able to guide them along. For static scan, we primarily use Fortify. With Veracode, I do not have much experience because Fortify is our main tool. 

We are the security personnel. We give proper guidance to the development team and use Veracode whenever scans are in queue or stuck, helping to provide clarity on findings. We have guided the development team with the tool so that, as security auditors, we do not have to do that. We have given guidance to the development team since every release needs code without vulnerable dependencies or vulnerable code. We have guided them in a way that they can access such tools, where they can see the report, and where vulnerable code is present.

Veracode's policy reporting for ensuring compliance with industry standards and regulations is satisfactory. Veracode provides visibility into application status at every phase of development.

Veracode has impacted our overall security posture because we are from a security background. Every week, we review the dashboards of open findings. We use both Veracode and Fortify findings, as we are using two separate tools - one for SAST  and one for dependency-related issues. When we highlight these in our meetings every day, it gives us a picture of the timeline needed to fix the code. We are using that feature regularly, and it helps significantly.

The product could be improved in its reporting. The scanning process could be more streamlined as it has certain limitations when performing manual scans. It has some checks when the content is in ZIP format or other formats, which takes two or three more steps than Fortify does. From a technical point of view, I may not be the best person to answer that since I haven't used it regularly. Other than the scanning process, I think it is acceptable.

I have been using Veracode for a couple of years.

I would rate its stability as a six out of ten based on my personal opinion.

It is scalable. I do not face any issues with the product's scalability.

The technical support by Veracode is good because we have encountered problems before, and the team supported us effectively. For technical support, it deserves a rating of eight out of ten.

Positive

It is somewhat complex compared to Fortify. As a Fortify user for almost five years, I find Veracode complex, but others in my team who have used it for eight to nine years don't find such issues. When we were doing manual scans before CI/CD integration, it was easier.

It took approximately four to five months to onboard the solution because it was new to developers as well. There was a certain process to be followed to get access and integrate it into the CI/CD tools. We had to explain the report format to them, showing where they could find vulnerabilities and how they could fix the code, including finding safer versions of libraries and dependencies. This took almost half of 2023, and now in 2025, they do not need our help except for technical problems when there are numerous scans in the pipeline.

The pricing is reasonable compared to other tools.

I haven't used the Veracode Fix feature that produces AI-generated fixes. 

The fact that Veracode doesn't scan source code, only binary code, is not a concern because we have certain projects that work with this approach. The AI functionality could be innovative, though I haven't experienced it yet. Regarding the breadth of Veracode's end-to-end testing versus competing solutions, I would rate it as eight out of ten.

Overall, I would rate Veracode a seven out of ten.

It helps with intelligent software composition, ISC, allowing us to test fast and get fast feedback around third-party library vulnerabilities, and have a quality gate around the CVEs, and so on.

I work as a digital consultant helping customers with their digital transformation side, with the primary focus on reliability engineering, SecDevOps, and Cloud. I have multiple clients using this same product. My clients are from different industries such as retail, consumer goods, travel, hospitality, and energy.

Veracode provides visibility into application status at every phase of development, as it's how we stitch it together, allowing us to introduce it at various phases to gain fast feedback. This capability increases the velocity in DevSecOps  processes as developers receive feedback on vulnerabilities before committing, reducing the overall rework.

It helps developers save time significantly. For instance, if I take a library and assume it's going to work until it reaches QA or UAT, where we find out there's a vulnerability, that can require extensive effort for code refactoring or redesigning; Veracode helps prevent that before the pull request is merged.

Veracode impacts the overall security posture by maintaining data integrity, ensuring we are not exposed to threats from third-party libraries with known vulnerabilities. From my perspective as a SecDevOps evangelist, Veracode is crucial for an organization's shift-left security strategy. Veracode's SCA  perspective offers tools that facilitate shift-left security by providing feedback before failures occur in the development process.

All three of Veracode 's offerings are valuable: SCA, SAST , and DAST. It helps identify security loopholes right in the development phase, allowing developers to get feedback around what kind of vulnerabilities exist as soon as they check in the code or even before that in their IDE .

It would be better if we had a channel for direct communication with the engineering team to speed up the process of providing feedback. 

I think Veracode has most areas covered, but I'm not sure if they have something around container scanning yet, which is important as workloads become containerized or serverless.

Regarding innovative features offered by Veracode, it would be beneficial for them to open up a channel to broadcast new developments and features to help us adapt. We are currently integrating Veracode using their GitHub  Workflow app, but it's not yet mature.

It has been more than five years. 

We have an enterprise license and direct connection with the Veracode team. I consulted their team about a couple of issues or bugs in the product that weren't matching our requirements, and we provided feedback that they took back to address. 

I would assess their help as eight out of ten in terms of how they assist with the issues I bring to them. It's good to have access to their team at no extra cost with the license, as most SaaS platforms include consulting as part of their offerings, but access to the engineering team is crucial for faster feedback on the product fix process.

Positive

I do have experience with other testing tools such as Mend and Polaris . The main differences between Mend, Polaris , and Veracode lie in the specific functionalities and how each integrates with enterprises. Overall, the basic functionalities remain similar. In comparing Veracode's breadth of end-to-end testing versus Mend, I find Veracode to clearly be a winner in the SCA  segment. Other than that, both are pretty much equal in the SAST  and DAST areas.

When it comes to the initial setup, it's both straightforward and complex. While the product is mature, it requires integrators. For example, I'm using GitHub Flow, but the GitHub  app to plug in is not sufficiently mature.

I have not examined Veracode's pricing in detail, but from an industry perspective, I see that there is a tendency toward Veracode, which suggests competitive pricing.

I would rate Veracode's ability to prevent vulnerable code from going into production at an eight out of ten because AI is evolving, and there are other tools emerging that help by proactively changing the code without needing the developer to take action, ensuring that pull requests are handled before going into production. 

We just got the Veracode Fix feature, but we need to understand it more deeply to know if it just performs code fixes or handles dependencies as well. Can it arrange or adjust my versions to make sure that the library that I'm using does not have any vulnerabilities? We have not enabled AI-generated fixes because we need to try it out and see how it performs, especially concerning human intervention in auto-upgrading or automatic patching in production. I am yet to explore the continuous delivery and continuous deployment aspects to provide feedback on that. 

I would recommend Veracode to others, as it maintains strong industry adoption.

Overall, I would rate Veracode an eight out of ten.

My use case for Veracode  includes utilizing the SSA and SAST  modules as part of improving the code that we are developing in the company, and we have 130 developers that we are trying to onboard in this platform. We have been able to onboard 100 more or less in these months, and the idea is to change the way they are developing because we want them to heavily use the IDE  integration. 

We mostly use Visual Studio Code, and we have them using the integration plugin with Veracode  so that they can fix the security issues at dev time. When we have the product in the pipeline, and we run the scans again, it's a green light.

Veracode Fix has affected our time to remediate security flaws in cases where we've been able to use it correctly because the proposals were on point, and it's been great. 

We've seen that in the same sprint that we were developing the features, now those features are implemented without any technical security debt. What happened before was that we needed another sprint to solve those technical debts. So we haven't seen an increase in time, and the speed of development of the teams is better, and now the product is being delivered with less technical debt.

One of the aspects I appreciate most about Veracode is that even though we have a license for developers, we don't get charged by the users who don't develop code but are only trying to access the platform to see the reports or the dashboard, such as architects who do some code reviews but don't develop. That's a nice feature that doesn't happen on other platforms that we analyzed. 

Another feature that we appreciate significantly is Veracode Fix and how it's integrated with Visual Studio Code. Even though it has some room for improvement, the key usage for us is to be able to solve everything. The developers also learn how and why they have to solve the security vulnerabilities detected. At the same time, they are developing the feature. Veracode Fix has affected our time to remediate security flaws in cases where we've been able to use it correctly because the proposals were on point, and it's been great.

Regarding room for improvement, we have some problems when onboarding new projects because the build process has to be done in a certain way, as Veracode analyzes the binaries and not the code by itself alone. If the process is not configured correctly, it doesn't work. That's one of the things that we are discussing with Veracode. Something positive that we've been able to do is submit formal feature requests to them, and they are working on them; they've already solved some of them. This encourages us to propose new ideas and improvements. Another improvement that we asked for this use case is to be able to configure how Veracode Fix proposes and fixes because sometimes it makes proposals using libraries that go against our architecture design made by the enterprise architecture team. For example, we want them to propose using another library, and that's something we already asked Veracode, and they are working on it. We want to specify when you see this kind of vulnerability, you can only propose these two options.

I have been using Veracode for nine months.

It's not that easy to onboard, but once they have been onboarded on the platform, and the pipeline configured alongside the product configured, it works effectively.

I have contacted the technical support and customer support. With Veracode's technical support, for some issues, it has been really difficult for them to understand the problem, and they ask us to do some tests we've already told them we completed in the first ticket. I think there is room for improvement there. However, we are also working with premier support, where we have an engineer assigned to our account. When we work with him on one of our problems, it gets solved much faster. Now we always try to add this engineer to all of our tickets so that we can solve everything faster. That's because we have the premier support as part of our agreement.

Positive

The initial deployment was difficult. We had some problems with the SSO  integration. But Veracode found a fix, and they are delivering the final solution to production. It took us a lot of time to get that mitigation, and it's not that fast to onboard the dev teams. We are having meetings with each team depending on the language they are using and the type of application; it may be really fast or take up to a week for them to have the product integrated. My expectation was that it was going to be faster.

For us, it wasn't the most expensive solution proposed. Part of our decision to get Veracode was that when we evaluated against other products, Veracode was cheaper. What they need to measure is that you need a tool that is efficient and works for your products and how you develop, which has a nice level of detection and a low level of false positives. We make an evaluation and only choose tools that offer a good balance between providing good detections and a low amount of false positives. What was happening with SonarQube was that we had lots of false positives, making teams not care about the vulnerabilities because most were false positives. Regarding price, the evaluation should focus on how efficiently they will recover their investment, considering the time saved through the use of Veracode Fix, for example, and the ability to fix code at dev time compared to the problems faced when fixing after the product is already deployed.

We have used some alternatives to Veracode for some of the use cases. For example, for SAST , we've been using SonarQube from Sonatype and also some IDE  plugins that we've asked the developers to use, but we didn't have any centralized platform to manage and false positives or findings. For SSA, we've been using Renovate Bot and also SonarQube and some of the GitLab  integrations that we've been using for some use cases. The only one that we've used as an enterprise solution for all the products was SonarQube and Renovate Bot; the other tools were tested with a small number of teams.

We don't use some of these tools because we don't have the license for them. We are not using Veracode for DAST or for manual penetration testing, but we are using the other ones, and they give visibility through the process. I think that Veracode does it, but since we are not using DAST, we are only part of the development process before going to the runtime environments. So we are not checking anything on runtime. That part of the process, where you have the product running and you make real tests on the running product, we are not solving with Veracode, but that's mainly because we don't have the DAST licenses. The way we are using Veracode now means that since we haven't finished the rollout yet, we are not putting any restrictions on our pipelines so that they can only go to production if Veracode didn't find any critical vulnerability. Now, we are not using it as a blocker, so it depends on the team. Some teams don't want to appear in red in the reports from the last pipeline scan, so they are delivering much more secure code to production. Other teams don't care and still deliver with the same vulnerabilities, but that's something that varies from team to team. Generally, most teams have improved a lot, for example, by updating all the libraries and reducing all the critical and high vulnerabilities, delivering to production only with low or medium vulnerabilities.