Test Tools / Security Testing / Veracode
Test Tools · Security Testing

Veracode

Cloud-based application security platform combining SAST, DAST, SCA, and penetration testing. Enterprise-grade with detailed reporting.

Overview

Veracode is a cloud-based application security platform that combines static analysis (SAST), dynamic analysis (DAST), software composition analysis (SCA), and manual penetration testing in a single platform. Founded in 2006 and now part of Thoma Bravo, Veracode is one of the largest application security vendors, serving Fortune 500 companies and government agencies worldwide.

Veracode is particularly strong for enterprises that need a unified security platform with governance, reporting, and compliance features. It is often the mandated tool in regulated industries.

What it's used for

Veracode is the right choice when:

  • Unified security platform needed: One vendor for SAST, DAST, SCA, and pen testing.
  • Enterprise governance required: Policy management, audit trails, and compliance reporting.
  • Regulated industry: Banking, healthcare, and government often mandate Veracode or similar.
  • Third-party risk management: Assess the security of vendor-supplied applications.

Pros & Cons

Pros

  • Comprehensive coverage: SAST, DAST, SCA, pen testing, container
  • Strong compliance and governance features
  • Detailed reporting for executive and audit audiences
  • Professional services for remediation support
  • Mature platform with 15+ years of development

Cons

  • Very expensive — enterprise pricing only
  • Scan times can be slow compared to newer tools
  • Less developer-friendly than Snyk or SonarQube
  • Configuration and tuning require expertise
  • Can generate false positives — requires manual review

Platforms & Integrations

Veracode is a cloud-based SaaS platform. It supports all major languages and integrates with Jenkins, GitHub, GitLab, Azure DevOps, and more.

Cloud SaaS SAST DAST SCA Container IaC Jenkins GitHub Actions GitLab CI Azure DevOps Jira ServiceNow

Pricing

TierCostIncludes
EnterpriseCustomAll modules, professional services, dedicated support

NZ Context

Veracode is used by NZ's largest enterprises — primarily banks and government agencies with strict security requirements. ANZ and ASB use Veracode for application security assessments. For NZ professionals, Veracode experience is valuable but niche — opportunities are limited to large enterprises with significant security budgets.

Alternatives

  • Checkmarx — Stronger SAST with better developer integration.
  • SonarQube + Snyk — Combined open-source/commercial stack for smaller budgets.
  • Synopsys (Black Duck + Coverity) — Similar enterprise breadth from a different vendor.

Learn more

← Back to Tools