Veracode Security Labs Reviews

I work in a service-based organization with multiple tools, as every different customer is using different tools. Customers come with a different set of tools that they have already invested in, and we build solutions and provide support on top of it.

I also deploy the product for my customers and provide integration services.

In the last 12 months, I have not deployed the product. However, there is a customer we are serving that is using Veracode Security Labs. We are aggregating the results from Veracode Security Labs, analyzing it, and following up with the managed services and the support system team. I can share experience with the managed services and professional services that Veracode Security Labs is providing.

Regarding the license deployment aspect, I cannot comment much because that may not come directly under my purview. In terms of providing a solution, once the tool is deployed and in use, putting that into the CI/CD process and building a pipeline is something that I would be taking up.

SAST is the primary purpose for which Veracode Security Labs is used.

I am very much familiar with Veracode Security Labs.

Their engine is considered a benchmark in the industry. I can see this when using the other tools that we also use apart from Veracode Security Labs. Veracode Security Labs stands out in getting vulnerability information detailed and also links back to developers certain modules that they want to get trained on. Veracode Security Labs provides that particular offering as well.

The engine has a very good capability in terms of identifying a lot of weaknesses in the codebase, which is the USP.

Veracode Security Labs helps them achieve shift-left much easier by putting them into control. Not just stopping there, but it also helps in training the developers. The security posture from the maturity standpoint definitely improves with the offerings that it is providing.

There are certain ideas and certain vulnerabilities that you catch, and then it might not get through, and then we pull in under the license availability. There are certain licenses that assure the professional services. Though the team members get in and are sound in knowledge, there are few instances. This is a very corner scenario and I cannot generalize it, but in one specific scenario, it took three or four meetings with them to explain and bring the right person on board, clarify my view, and then they accepted at the very next point. It was kind of a little painful to bring the right person into the discussion. Otherwise, they usually send out developers into it with security knowledge, where I was looking for a security person who understands the core ideology of these vulnerabilities. That is one challenge I had with their professional service.

I have used Veracode Security Labs since 2018.

I would give a rating of somewhere around 7.5 for customer support of Veracode Security Labs. They always respond to you. It is somewhere the person was busy or they were actually taking some time, but I see this as an organizing thing or a communication challenge that we had. Otherwise, they never ignore you for me to give a very lesser rating. I would definitely go with 7 or 7.5.

Positive

Veracode Security Labs comes with a price. It all depends on the CISO's budget. Being a service working with a service company, I have seen both ends of the spectrum where certain firms are steadfast in securing their products to serve the customer. Since they have budget, they are going for it. Otherwise, the other spectrum of customers do not appreciate the licensing cost and the professional services cost that is attached to it, which is a huge impact on their financial budgets. They opt for alternative tools, and that is where they take our expertise in analyzing the other set of tools which comes closer to Veracode Security Labs engine and which can get the job done. I cannot be biased on one side because I work on both ends of the spectrum. My answer would be it depends on the budget of the organization. The price is still on the higher side. Once we worked on IAST, but they were asking an upfront investment of 50k, which was a little higher and it will not be an easy choice for most organizations. It is quite expensive.

The reporting feature of Veracode Security Labs is really good.

It actually allows us to put in a further trigger, say it triggers a ticket in Jira which has access to it, and then that is where we take it from and then send it, review it, and then send it to the developers. The reporting aspect is very good.

I know for Jira, but for AWS and other areas, I do not think there should be any issues because this particular customer was on AWS and I do not think there are any issues that they faced for this integration.

We have got this license to one of the vendors for the training and for the license part, but I may not be in a position to answer that because I have not used it. We acted as a reseller for them for a certain amount of time.

I would give an overall review rating of 7 for Veracode Security Labs.

I use Veracode on a private cloud. When we implement a new solution, it needs to undergo user review. I was specifically interested in learning how the software works and how it can benefit my organization. Once I can get some clarity on this, I can recommend it to my IT team. I have not used the public cloud application yet because I am in the initial stage, and I am still doing trials on my end. 

The solution provides guidance on how to fix vulnerabilities. Veracode has robust reporting and data analytics. I manage key accounts, and data analysis is essential for anyone in a critical sales role. Veracode gives us a comprehensive analysis and reporting structure. When we input data from different teams, we have different criteria for analysis, like performance over time and performance versus target benchmarks. The reporting works well for these key performance indicators.  

Veracode developers have maintained an end-to-end security approach. The platform is highly secure. Users can secure their data and access it at any time based on their requirements. It makes data analysis easier and more user-friendly.

Security Labs has an excellent mechanism for reducing the errors introduced into the system. It also acts as a resistant wall that blocks viruses and rapidly fixes the vulnerable components. It works optimally for my current use. In terms of compliance and governing regulations, this solution works well. It complies with all government norms and global IT documentation.  

Productivity has slowly improved because the Static Analytic tool helps me save time. In the end, we are more productive because we work smarter and optimize the reporting pathway. Veracode also integrates with our development tools, which is helpful because our IT team is incorporating other functions in their backend. 

This solution is a firewall for the workflows. It filters your data, and it will block any kind of threat or malware. A warning pops up, and it says you need to take care of the issue. It has raised developer confidence by mitigating risks. It limits access to specific users at a given time. It's a good tool in terms of secure access. 

I like the end-to-end learning experience. That also includes SAST. It has a low false positive rate.  

I would like the team to make users like me aware of the new features sooner, so we can get the most from this product. Otherwise, there is no disadvantage.

I have been using Veracode for less than six months. I'm currently exploring the free version.

Security Labs is stable so far. 

Knowing the various area of their application of this solution, I can say, it is scalable and it will help the industry to grow and solve security issues.

I haven't encountered any disadvantages or flaws in this product, so I haven't needed to contact support, but I'm confident that the Veracode team will respond as quickly as possible if there are any difficulties.

The installation is straightforward. I've only deployed the free version to try it out, but I'm sure deployment will be smooth in the next phase. 

We still use the trial version, but I feel confident that Veracode will offer competitive pricing. 

I didn't evaluate other options. I found the kind of accessibility and features I was seeking in this solution, so there was no need to look at other options. 

I rate Veracode Security Labs nine out of ten. I would recommend it. My advice to future Veracode users is to check every facet of this solution and correlate your requirements with what this solution offers. 

I use it to scan applications to try and find security flaws.

We have access to the security platform and our applications are updated there. Besides that, we have installed the Greenlight plugin in the IDE. We can run the Veracode scan locally in our laptops thanks to that plugin.

We found some SRS errors, then we checked in Veracode how to fix those errors. Based on that, we let everybody know that when similar errors were happening to implement the same or similar solution. We are taking the pieces of advice that we get for Veracode fixes or remediation to develop better quality software.

Veracode Security Labs helps our developers get security feedback faster in our integrated development environment. This is very helpful and important for being able to detect errors and get the maximum amount of information and feedback as possible. 

Every time that an application needs to be deployed to production, it needs to run against the Veracode scan. Then, if an error is detected, it needs to be repaired. 

When a flaw is discovered, the information that they give and the links to get further information about how to remediate the flaws are actually quite good.

Using the Greenlight plugin makes everything simpler. It provides you with some examples of how you should implement a required fix for a flaw found in your code.

Veracode Security Labs is very good for providing examples of code vulnerabilities in a developer’s chosen language. This is important because if a flaw is found, then they provide me with a few examples of how to implement it. I don't need to go to Google and try to figure it out myself. They already provide me with some good quality examples that I can use to implement the fix.

They provide some links to other pages that have plenty of information. If a developer wants to learn more about a flaw, how to prevent that flaw, or a solution to that flaw, then they can find some information. If it is not directly on the Veracode web page, then they can find that information on links that the Veracode web page contains.

There are two parts that I think should be improved. Both the web page and the report have the same issue. Both are sometimes messy and very difficult to find information. You need to know where to look and especially where to find information. It can be a bit confusing in both the report and the web page. Quite often, I keep learning new things because some of the information is quite hidden. You need to click this link, then click here, and go here. Then, "Wow," you get so much information that you didn't know existed. Information is a bit hidden and there should be an easier way to access it after a scan is generated.

You should find out all the places where the information can be stored because sometimes you can test and think that you have all the available information, but often there is more. It would be good if there was a good explanation from Veracode about where exactly to find all the information on how to get the best from the system, since it is a very powerful tool and to use it sometimes requires a bit of knowledge.

The stability is good. It is one of the most stable third-party applications that we are using.

We have called them to mitigate some bots because the scan had some type of flaw. I called them and everything was very fine. They were very helpful. We got a fix. I would rate the support as 10 out of 10.

Positive

We didn't use a similar type of solution before Veracode. 

I was not involved in the initial setup.

In theory, I shouldn't have to use it more often than what I use it for now, and I probably use it once per week right now.

From a security point of view, we are using only Veracode.

I learned a lot about security using Veracode. It definitely has been a tool that opened my eyes regarding flaws and how to fix them. The big lesson that I learnt was how important security is and the benefits of having a good tool for it.

I would rate the solution as eight out of 10.

My primary use case is secure programming with C++. This product assists with basic security awareness for computer systems.

In general, this product gives us more ways to correctly and securely write code for our projects.

In terms of how easy it is to write secure code using this solution, we have to put some thought into it but after some consideration, we can easily pass the test and add value to our programming skills.

The platform is quite good in terms of helping developers apply new skills in interactive threat scenarios. I would rate them an eight or nine out of ten in this regard. We have always had software programming best practices but after working with Veracode Security Labs, I gained insight as to what can go wrong when simple choices are made. As such, our team has been more alert to potential problems and we consider all of the things that we have learned during the Veracode assignments.

For example, our organization has benefitted by learning to avoid specific attacks, such as "buffer overflows". This is a situation where data should not be written outside certain locations in memory. This is very technical stuff but more generally, the benefit to us comes because we have more accurate and secure coding practices, as well as a better overall strategy.

This product integrates with our IDE and it proactively makes developers aware of security issues in the code. It will point out common mistakes that in the past have had very bad consequences. Moving forward, we can all avoid these types of problems.

Veracode very well explains some of the hacking and exploitation techniques that are employed by adversaries, which helps us to focus on certain types of problems.

This training is now compulsory for my client.

The most valuable feature is the identification of vulnerabilities in existing programming language functions.

We use the hands-on training labs and they are very important due to the nature of our software. Our software is mission-critical and for example, the product that I am working with is related to the software development lifecycle, and it's used by a lot of customers around the world. As such, it must work correctly and it must be secure.

These security assignments help us to enhance our customer experience and instill confidence in our programming practices. We are better able to detect and deal with vulnerabilities in code.

The hands-on training has helped us to tackle modern threats by coding with vulnerabilities in mind from the beginning of a project. It has improved our process overall, and the number of vulnerabilities has been reduced. 

Veracode provides examples of code vulnerabilities in different programming languages and this brings about awareness for our developers. When they work on projects, they learn to avoid those types of mistakes. 

The programming exercises help to illuminate common coding problems and walk developers through how to fix them. This is very important to us because our developers learn what can go wrong, how to spot problems, and how to eliminate them. It helps all developers learn to better avoid problems and related exploits.

It would be good if there were more assignment problems in the inventory, as well as more randomness in the coding examples.

At some points, we faced problems because we were not able to complete an assignment. It took a while to understand what was wrong but this is related to the fact that some of the exercises are very difficult in terms of coding. An exercise is only complete when the output exactly matches what is expected. In this regard, I think that the system should be more flexible in terms of what it accepts from the user.

I had some trouble logging on to the Security Labs service. Direct username passwords are not supported. A single sign-on service is required and I was not able to add my external email address. As such, I was not able to add Veracode's assignments directly to my LinkedIn profile. It's a feature that I was not able to take advantage of. However, it did not matter because I was able to add the certifications to my profile manually.

I have been working with Veracode Security Labs for approximately two months.

There are no concerns with stability.

Scalability-wise, this solution is very good. I believe that installing new problems into the system is straightforward.

All of our developers, including senior developers and architects, go through the assignments.

I have not been in contact with technical support. The only issue that I had was something that I was able to solve myself.

I have used similar solutions in the past. However, they were in-house training products. For example, when I was working for a large electronics manufacturer, they had a similar system and it was also very good.

The main difference was simply that they were private, and not available to the public. The certifications provided by Veracode are issued and you can advertise them, whereas, with an in-house solution, you only know if you passed or not.

Another difference is that the in-house system that I used had many more test cases that are used to evaluate the user's response. This is something that I didn't see with Veracode.

I was not involved in the initial setup.

They have a Community Edition of this product that can be used free of charge.

When I started with Veracode Security Labs, I began with the mandatory training. Afterward, I completed some of the optional training exercises. I had not read about all of these in advance but I found that the descriptions are well-stated and easy to read. As such, I went ahead and worked on assignments in other programming languages.

My advice for anybody who is interested in this product is to try the Community Edition, which they can use for free. Try to understand the basic problems and if they're not able to complete them, look at the assignments in more detail. Overall, they will get a lot of value from Veracode Security Labs.

I would rate this solution an eight out of ten.

I have used it as part of Veracode's Secure Coding Challenges. The challenges are a competition hosted by Veracode, where community members work through the training in a time-limited fashion. The first members to complete the challenges are deemed the winners.

The challenge topics range among OWASP's top 10 topics. I am an application developer, so the Veracode Security Labs are directly relevant to my work. They help illuminate common coding problems and walk through the appropriate way to fix them.

Veracode Security Labs walks through a common scenario. A developer inherits a codebase that has issues and has to figure out how to fix them. The platform helps guide the developer through the best way to accomplish this. Learning through a hands-on approach is very effective.

With the hands-on learning approach developers become more secure coders, which means they are less likely to add bugs to the software they are building. This saves time and money in the long run as the mindset of security is shifted left to earlier in the software development lifecycle.

The most valuable feature is the guided approach of walking the developer through the best way to fix the issues in the codebase. This approach is hands-on and extremely effective at teaching developers the right way to implement security controls.

Being able to view the codebase, and edit it in order to remediate the vulnerabilities is extremely powerful.

The best part is that this is all within the web browser, so the developer doesn't have to install any development environments or download anything to work through the training.

At this point in time, the platform seems to be focused on web-based applications. For additional features, I can see opportunities for other types of technologies, like mobile applications, batch processing, and backend services or message queue processing. I suspect that these additional types of learning would be difficult to provide through a web-based learning environment, but not impossible.

Web application development covers much of the industry, but there are also developers working with these other technologies that could benefit from a learning environment more specific to their technologies.

I have used it as part of Veracode's Secure Coding Challenges, starting in late 2020.

This is a stable product.

My impressions of the scalability are positive.

I have not used another similar solution.

The initial setup is straightforward.

It was deployed through the Veracode Secure Coding Challenge.

I did not evaluate other similar products.

Our use cases are for both dynamic and static scanning of web applications. The application is cloud-based in a major cloud provider. We schedule scans at regular intervals that support various compliance efforts within the enterprise. The application has a modern design with a responsive UI that adapts to the display of the device being used. Veracode seems to have little trouble scanning our application. Overall, we are happy with the service that Veracode provides us although the cost does seem quite high in my opinion.

Our developers are more security-aware and are writing better code. The e-learning option allows our developers to dig deeper into the security issues. Topics such as sanitizing input, carefully configured logging output, and other typical sources of vulnerabilities. We have a better understanding of the proper configuration of web servers and web proxies as well. The Atlassian integration has helped manage our compliance paperwork in a more automated way also. Overall, we are happy with the service that Veracode provides to us.

The Atlassian integration is the most valuable aspect of this solution. Many other security platforms don't seem to have this feature or want an exorbitant amount of money to get it. Automated integrations such as these make compliance much easier to track and maintain. Additionally, the integrations help with agile processes such as DevOps. We are able to schedule things like scan submissions to Veracode that aids in automatic, regular scanning of our web application. Veracode also allows for customizing your corporate policy for things such as remediation deadlines.

Developers frequently complain to me about the user interface and the difficulty in navigating the web site. I too have had some very frustrating moments trying to find things. I do not find the dashboards all that helpful though they are pretty and there seem to be plenty of them. I am running out of critiques to say about Veracode but it seems I must use 500 characters regardless of what I need to say. It seems like an arbitrary requirement. I'm still not at 500 yet. Can I say that this requirement should be cut in half?

We have been using Veracode for a little over two years.

Rock solid. I don't think we've ever had issues being able to access the system. Whenever we have needed to log in and look at something in our results, we have always been able to do so. The only stability issues we have had is with the dynamic scan authenticating into our web app. Sometimes for no understandable reason, it will stop authenticating. However this has only happened a couple of times.

Scalability seems fine. Have not noticed any issues.

Service and support is always helpful and knowledgeable. Turnover seems to be an issue. We are frequently being assigned new staff to our account. So far though, the level of service has been great.

We tried to do it manually ourselves with Burp Suite Pro but it was too cumbersome and no integrations with Atlassian.

Straightforward and web-based. 

Configured ourselves with some assistance setting our policy configuration as I recall. Veracode staff is knowledgeable and always helpful. 

Difficult to quantify. What's the cost if you ignore security?

It's expensive. Know that going in. Your organization, your programmers, and your product will be better for it though. 

I spoke with Checkmarx as well. At the time, Veracode seemed to be cheaper.

We are currently evaluating this platform to see if it would help as a company-wide solution. 

If Veracode Security Labs is chosen then in the future, it will help developers, DevOps, and testers to better and more deeply understand threats and remediations related to application code.

In general, Veracode Security Labs will be used to improve the security of the code and help developers in their daily work.

At this point, we do not yet have an organization-wide improvement. The selection process is still underway. However, Veracode Security Labs is better than other evaluated competitor's solutions so far.

The most valuable features are:

• Knowledge of how to write a secure application, like OWASP ASVS 4.0, that is spread across the web is gathered into one place. This can save months of learning and search on your own.


• It is possible to earn Veracode certificate levels one, two, and three, after completion of a defined amount of labs.


• It provides a complete review of vulnerabilities & possible fixes for OWASP Top 10 in one place.


• The Hack & Fix learning approach makes the learning process more interesting.


• Solve vulnerabilities using interactive labs & real applications with the language of your choice.

The following areas should be improved:

• 
  Veracode Security Labs should cover more than only the OWASP Top 10. 


• A more advanced Veracode Security Labs should be added. 


• More Java-based labs should be added; ideally, all Veracode Security Labs will be available in the Java language.


• Veracode Security Labs should provide better support for code completion and syntax control (when applied eg. Java) when working on the application code.


• Some Veracode Security Labs are too easy to complete, although this is a subjective opinion.

I have been using Veracode Security Labs for two months.

We did not use another solution prior to this one.

It is one of the best solutions in the market to help train the developers. We mostly use AWS as a server with the solution.

We are satisfied with the solutions ability to train developers.

There could be better integration between the API and the pipeline systems. For example, if you do penetration tests and you want to share the results with the DevOp team's pipeline, you cannot do it automatically because the API is not good enough. 

We have been using the solution for approximately three years.

The installation is straightforward.

I rate Veracode Developer Training a nine out of ten.

We use Veracode Security Labs along with Veracode Developer Training and other Veracode components in our company for Digitial Health, and security testing.

Veracode and all of its components have helped us in developing a secure product.

All of the features offered in this solution are valuable.

The features are extensive, which is why they are ahead of the game, and the reason I continue to use this solution.

The only area of this solution that needs improvement is the pricing for startups.

I have been working with Veracode for several years.

It's a stable solution. We have no issues with stability.

It's a scalable product.

The technical support is amazing! They are very responsive.

We also use Veracode Developer Training, Manual Penetration Testing, Static Analysis for the same use case.

The initial setup is straightforward and extremely easy to install.

Deployment only took a few hours.

We have a team in-house.

The pricing for qualified startups should only charge for Veracode Developer Training.

The licensing cost should be fair, and the use cost when the company or the clients release their product to the market should also be fair.

They put together a complete solution that has a number of components. My advice is to take it all. Don't just take just Developer Training or Security Labs or Static Analysis. Rather, take the whole solution and run with it.

Veracode cannot be taught about security. I would rate Veracode Security Labs a ten out of ten.

We use this eLearning product for our developers. We are working on adding it to our enterprise eLearning solution to help get developers to take it.

We use Veracode Security Labs as our primary security learning platform. It was pretty cool to use for the first time.

The coding challenges were well put together and I was happy to see some of the challenges even had a built-in web browser. That made them very convenient.

I would have liked to see a bit better auto-completion in the IDE, and there was a typo in one of the questions where the code you were supposed to copy was missing a pair of parentheses. I'm sure the typo messed up a lot of people.