Veracode Reviews

For every application we develop, we want both static and dynamic security scans done before deploying them.

The solution helps us to verify if our code is error-prone or has any OWASP security flaws. It has also reduced our scanning time, but it's difficult to say by how much.

Also, the scanning process helps a lot when it comes to improving standards and best practices. If we scan multiple times and we get the same warnings again and again, it helps us to identify that there's something we need to rectify, overall, in our standards and processes.

In addition, the solution has helped to increase our security and development teams' productivity.

On the whole, Veracode has improved the quality of our code and the end product. It has reduced our security debt by 40 or 50 percent. It helps protect our application from external attacks.

It scans for the OWASP top-10 security flaws at the dynamic level and, at the static level, it scans for all the warnings so that developers can fix the code before we go to UAT or the next phase.

It also gives us a centralized view of issues and that is important because security is key to any application. We want to identify the flaws as early as possible. The centralized view means that everybody can see the report and remediate accordingly.

I would like to see improvement on the analytics side, and in integrations with different tools.

Also, the dynamic scanning takes time.

We have been using Veracode for more than six years.

It's a stable product.

We have about 30 to 40 developers using the solution. We use it on a weekly basis but I can't comment on whether we will increase our use of it. That depends on our product.

Technical support is average. They take some time to respond.

We didn't use anything prior to this.

The ROI for us is that it improves our code quality and helps remove security flaws. It is an essential tool.

It does root analysis, but fixing things is up to us. Also, it doesn't require much maintenance.

I would highly recommend it.

We use it for static scans. It is mandatory in our company for every sort of project.

Veracode provides the organization an understanding of security bugs and security holes in our software, finding out if the software is production-ready. It is used as gate management, so we can have a fast understanding if the software is suitable for deployment and production.

My job is to help projects by getting the data integrated in Veracode. I don't own the code or develop code. In this area, I am a little bit like an integration specialist.

We use Azure and AWS, though AWS is relatively fresh as we are now just starting to define guidelines and how the architecture will look. Eventually, within a half year to a year, we would like to have deployments there. I am not sure if dynamic scanning is possible in AWS Cloud. If so, that would be just great.

The possibility to integrate Azure is very valuable because you can have every build integrated into the content integration pipeline. So, you can have every build scanned and determine when a new bug was introduced. Thus, you can keep great track of your code's security.

You can easily integrate it with Azure DevOps. This is an added value because we work with Azure DevOps. Veracode is natively supported and we don't have to work with APIs.

Third-party library scanning would be very useful to have. When I was researching this a year ago, there was not a third-party library scan available. This would be a nice feature to have because we are now running through some assessments and finding out which tool can do it since this information needs to be captured. Since Veracode is a security solution, this should be related.

I would recommend that they keep working on the integrations. For Azure DevOps, the integration is great. I am not sure what the integration possibilities are for the Google platform or AWS, but I would suggest every other platform should have this easy and great integration. It takes a lot of time for companies, so this feature is a big plus.

I have been using it for about three years.

There have been no issues at all. There has been no downtime registered.

I worked with the technical support to integrate some things. One of our private cloud providers only had old routers. It was possible only to open network connections to IP addresses, while Veracode only provided the URL in their guide. So, I asked the technical support if it was possible to provide some fixed URLs that we could give our provider since it is unfortunately against the concept of the cloud to provide the IP addresses that work just for some time. The technical support's response was within a day, and it was prompt and clear. Also, all their reasoning made sense so the support was very good. I would rate the technical support as 10 out of 10.

Positive

We also use SonarCloud, which is a code quality tool. We use both of them because both these platforms are good in some areas. While the Veracode is very good at finding security-related issues, the SonarQube Sonar suite is very good at determining code quality. Also, when I was looking into the topic, the SonarQube team answered that there is no point for them to go further into code security since there are already great competitors who have years of experience and development behind them, specifically mentioning Veracode as masters in their field. That is the reason why we use both solutions: We benefit from using them both. These solutions compliment each other.

I evaluated WhiteSource Bolt specifically for third-party library scanning, but I did not have a lot of time to create a proper PoC. I had a call with WhiteSource and told them that I would like to do a PoC, but I was not very satisfied with their support. It was like, "Just try the free solution then contact us again." However, the free solution didn't provide me enough things to make a decision. So, I just put it off until sometime possibly in the future. If Veracode offered third-party scanning, then we wouldn't need WhiteSource Bolt at all.

If you have Azure DevOps and would like to understand your code and how secure it is, then there are not a lot of better options. Also, there are not many choices in this area at the moment.

Once your code is scanned by the static scan of Veracode, you get some evaluation scores based on some criteria. For the management, when it is above a certain number, it is fine, but when it is built below, then it is no-go for production. Even though there is a possibility to create a sandbox environment for projects, they don't get it. That is understandable to me. I try to explain to them that there are no issues if you are working in a development environment and you get difficult scans. It is fine then because you can create a sandbox environment, which will not screw up or make the production releases worse because it is in a separate bucket.

We are happy using the solution. I would rate it as nine out of 10.

We use it for code analysis to see if there are any vulnerabilities in the code. I'm heading a startup for this, and I have a development team of about 14 people. They upload the codebase to Veracode, run an analysis, and take the results. If there are any vulnerabilities, they fix them.

It reduces security vulnerabilities and increases our security level. It has been helpful in reducing our security debt.

Having a centralized view for our developers and security professionals is very important. If there is anything in the cloud or infrastructure, we need to know proactively. Otherwise, we wouldn't know when there is a security compromise. So, we have to be prepared so that if something happens, we know where to go and stop it. It is not always about fixing and making your code zero percent vulnerable. That doesn't happen generally, but you need to know the areas where something can go wrong. If those areas are your critical systems or critical data security parts, you can act accordingly and quickly.

The centralized view has improved the visibility into the status of our application code. This visibility is very important because we need to know the condition or status of our codebase.

Scanning with the solution has increased our fix rate, but I don't have the metrics. It has also helped to increase the productivity of our security and development teams.

It is a good product for creating secure software. The static code analysis is pretty good and useful. The mitigation recommendations provided by the scanning engine are also pretty good.

From the usability perspective, it is not up to date with the latest trends. It looks very old. Tools such as Datadog, New Relic, or infrastructure security tools, such as AWS Cloud, seem very user-friendly. They are completely web-based, and you can navigate through them pretty quickly, whereas Veracode is very rigid. It is like an old-school enterprise application. It does the job, but they need to invest a little more on the usability front.

From the pricing perspective, it is not very convenient for startup organizations. They should have options to onboard it for the startup ecosystem quickly and affordably.

There should also be strengthening of the developer community.

I have been using this solution for almost a year.

I didn't find any errors. It is available and stable. I didn't have any issues with it.

Its flexibility is very less. It is a very rigid application. Currently, we have six users of this solution in our organization.

I interacted with them once. They were very good. They were very friendly and supportive. I would rate them a seven out of ten.

Neutral

We didn't use a different solution previously. The company started just a year ago. 

For enterprises, Veracode has done a fairly good job, but its pricing is not suitable for startups. The microservice distributed architecture for a startup is very small. I had to do a lot of discussions on the pricing initially. I previously worked in an enterprise organization where I used Veracode, and that's how I got to know about Veracode, but that was a big organization with more than a thousand employees. So, the cost is very different for them because the size of the application is different. Its pricing makes sense there, but when we try to onboard this solution for the startup ecosystem, pricing is not friendly. Because I knew the product and I knew its value, I onboarded it, but I don't think any other startup at our scale will onboard it. 

Its pricing should be based on the size of the application or organization. For a startup organization, they can provide credit-based pricing. They don't need to reduce the price. AWS, Google, and other vendors do the same where they don't reduce the price, but they give credits. I have been in the industry for 15 years, and I have seen that people don't like to change technologies for many reasons. For the first year or the first 18 months, customers can explore the product completely free. If the first year is free and you are onboarded, you would stay with it if it does the job. If the product is doing its job and adding security value, there is no reason to change it in the second year, and you are also ready to pay because, in the first year, you have tested that it is working fine. A company that has used it for the first year would definitely need it in the second year because they keep adding code to the codebase. Another option is that, like Cloudflare, they provide a very slashed rate. Cloudflare onboards everyone at a very cheap price, but when you start exploring the actual use cases, they start adding. 

It is a good product, and you should consider it, but it can be elevated more for startup culture. It should be more pricing-friendly and user-friendly. There should also be strengthening of the developer community.

We are only doing code analysis with it. For manual penetration testing, we have to contact an entity.

It hasn't reduced our scan time. It also hasn't helped our organization with certification and audits. We're a small startup, and at this time, we don't have audits, etc. We might do that later. 

I would rate this product a six out of ten.

The solution is used for performing application security processes like source code assessment, dynamic assessment, and SCA.

We sell the product to our customers. We are a vendor.

The SAST and DAST modules are great. The scanning part is also good. It’s pretty easy and convenient to use. Everything is described within the product. Almost everything is available in the community and the guidelines.

Veracode Greenlight scans the code while the developer writes it. It will be beneficial for developers if Veracode Greenlight includes Python.

I have been using the solution for almost one year.

The tool is stable.

The scalability of the product depends upon the pricing. The price is a bit high for a small company. It is suitable for a large company.

Support is very good. The support team resolves some issues within 24 hours.

Positive

I tried a few solutions before using Veracode. Veracode is better because it is convenient to use. The solution’s dashboard and features are pretty good. It is the topmost product among the other tools that I used. It is pretty simplified. Veracode has a lot of options to do authenticated scans. Veracode’s simplified features are helpful for people who use different authentication methodologies.

We are using the SaaS version of the solution. The initial deployment was pretty easy. The CI/CD pipeline has a lot of dependencies, like connecting with Jenkins and Jira. If we directly upload the code to the cloud, we can deploy the product within a single day. If we do it in the CI/CD pipeline, it will take some time.

One person can deploy the product. I haven’t had any maintenance-related issues with the solution. Whatever new vulnerabilities come, they are already updated in the database. Since we are a partner, it will be helpful if Veracode notifies us whenever it releases the vulnerability reports. We cannot always check the portal.

The product’s price is a bit higher compared to other solutions. However, the tool provides good vulnerability and database features. It is worth the money.

Veracode provides policy reporting to ensure compliance with industry standards and regulations. It is beneficial. The product also provides features to create custom policies. Most false-positives cases come under DAST. The false positives depend on the code. Veracode provides around 5% false positives.

The solution shows the vulnerabilities in the code and provides generic remediations for it. We must then search it on Google. The product’s community is also good. Sometimes, the product provides solutions in the community. These solutions work well on the production level.

I have also used the SCA features which help with identifying vulnerabilities in applications's third-party components. The Veracode user interface is so convenient and easy to use. Anyone can run a scan and generate a report easily.

The solution provides absolute visibility into application status at every phase of development. The users can get visibility through the CI/CD pipeline. The time taken to complete the scans depends on how much code is present in a specific application and how big the application is.

Veracode introduced a new module named Veracode Fix, which automates the fixes for insecure software with AI-generated secure code suggestions where the developer does not have to spend time searching and remediating the vulnerabilities. The developer does not have to spend time searching for vulnerabilities. Sometimes, the tool gives a generic recommendation, sometimes specific recommendations. It will be helpful if it always provides specific recommendations. The amount of time saved hinges on factors such as code complexity, the programming language employed, and the developer's proficiency in secure coding. If anyone uses Veracode throughout the entire process of building an application, from the start of development to the final production stage, can result in a time savings of around 30% to 40% when leveraging various security measures of the platform.

Veracode has had a good impact on our organization’s overall security posture. If we choose to take the complete Veracode module, we can have security from the initial step to the production phase. 

I will recommend others to implement the solution. Veracode is in the Gartner Magic Quadrant. It is doing a good job.

Overall, I rate the product a nine out of ten.

I helped customers to build and start the journey of SecOps with Veracode.

Veracode helps to know and prevent vulnerable code or applications from being deployed. We can scan, consume reports, and fix vulnerabilities before deploying an application.

It is very good for ensuring compliance with industry standards and regulations. We can have many dashboards and reports related to policy management.

Veracode provides visibility into application status at every phase of development. We can have many analytics dashboards and reports, and we can build a custom dashboard to have this visibility. This visibility is essential for DevSecOps processes. We need this visibility and information to have a strategic approach and mature our security.

Veracode has the lowest false positive rate in the market. Its results are accurate. In some cases, it is very difficult to see a false positive. We report it to the engineers, and they analyze it. If it is truly a false positive, the engineers will update the engine to provide better results at the next scan. The false positive rate of the static analysis has not affected the time we spend on tuning policies.

It has had a very good effect on our organization’s ability to fix flaws. We are developing a new feature, and Veracode will help to quickly fix any flaws.

It has helped our developers save time, but I do not have the metrics.

All features are valuable. I especially like SAST and ADO.

It is scalable and quick to deploy into the site and the pipelines. The reports and analytics are good, and the false positive rate is low. It gives true results.

There should be more APIs, especially in SCA, to get some results or automate some things.

I have been using this solution for almost three years.

It is very stable.

It is very scalable. I help other companies to deploy. Some of them are small, and some of them are big.

Their support is good. I would rate them a nine out of ten.

Positive

I have not used any other solution previously. I have only worked with Veracode.

It is a SaaS solution. Its initial setup is straightforward. I started with the most critical applications and automated the scanners inside the pipeline. After getting the results, I aligned the security policies. I prioritized the most critical vulnerabilities and assigned these reports to different groups and teams. I also integrated the other plugins into the IDE.

I implemented it myself. I work with DevOps and security teams. In some cases, I also work with developers.

It does not require any maintenance. Because it is a SaaS solution, the maintenance is provided by them.

The ROI is in terms of time savings and mature security. When you deploy a solution like Veracode, you can have these quickly.

It reduces the cost of DevSecOps for the organization when you use it for more than one year.

Its pricing is fair.

It is essential and perfect for preventing vulnerable code from going into production. Nowadays, it is very important and sensible to have a solution like Veracode to know all the vulnerabilities and manage and prioritize the ones that are more critical and better for security posture.

I have not used the Software Bill of Materials (SBOM) feature much, but it is easy to create a report using the SBOM feature. It is important for the supply chain that your software uses.

I would rate Veracode a nine out of ten.

We scan various types of software codes, such as codes or applications built in languages like C, Java, Python, PHP, and Ruby, among others. We assess the code quality using Veracode.

Veracode prevents 90 percent of vulnerable code from being introduced into production.

Previously, in our organization, we did not have a dedicated workflow or a tool for capturing code vulnerabilities. After the code passed the testing phase, it was directly implemented in production. However, since implementing Veracode and launching it, we have been able to identify vulnerabilities beforehand. As a result, our code now goes into production without any vulnerabilities. Only after ensuring this, do we allow it to go live.

Veracode provides visibility into application status at every phase of development.

Based on our experience, Veracode quickly and effectively identifies false positives.

Our project teams understand the importance of conducting code scanning in addition to code development and Veracode testing. This ensures that any flow issues are addressed before proceeding to the next phase. It has become ingrained in their approach.

Veracode has helped our developers save time by assisting in fixing the vulnerabilities that could have had disastrous effects if they had gone into production.

Veracode has had a tremendous impact on our security posture, particularly in one region in Asia where Veracode is being used for security testing and vulnerability assessment. Now, other regions, including the US, have also recognized its value and started adopting Veracode.

Static Scanning is the most valuable feature of Veracode.

Veracode's policy reporting, which ensures compliance with industry standards and regulations, is valuable. It would also be helpful to have a specific example that we can relate to in order to better understand it. Currently, the information is scattered, so precision would greatly assist us.

Veracode can be improved in terms of software composition analysis and related vulnerabilities. For instance, when an application team provides us with their software code, we perform code scanning. During this process, we often encounter software composition analysis vulnerabilities that require the application team to upgrade their Java file from version X to version Y. We then communicate this to the application team, and they proceed with the upgrade. Once the upgrade is complete, we conduct a rescan. However, during the rescan, Veracode may identify compatibility issues with the upgraded version Y. This situation puts the application team in a difficult position, as they may be unable to accommodate this change within their project schedule. Therefore, this is an area where I believe Veracode could make improvements.

The technical consultation can be enhanced to effectively address the communication variations among different regions.

I have been using Veracode for three years.

Veracode is 100 percent stable.

Veracode can scale to meet our maximum requirements.

There are cultural differences in the way we communicate with people from different countries. So, when a Japanese person is talking to an American, the rapid conversation provided by the American technical support person may not be easily understood by the Japanese individual. As a result, instead of having just one discussion or consultation with Veracode, we end up having three to four consultations.

Neutral

I give Veracode a ten out of ten.

We are using Veracode in multiple locations and departments.

Veracode does not require any maintenance.

Veracode is an extremely user-friendly tool, operating through a web interface. Additionally, the support and guidance offered by the Veracode team are excellent. Considering all of these factors, I believe Veracode should be the choice for anyone.

I use Veracode to prevent vulnerable code from going into my application.

The major improvement is that we have secure platforms, free from vulnerable code, so I'm very pleased. It's definitely a helpful solution. It helps me to minimize risks. We know that things are very secure and cannot be hacked because we have taken out the vulnerable code. Overall, the effect is that we are very secure and very reliable for our clients.

And Veracode has improved efficiency and the quality of work in our organization. It gives our developers the confidence to develop faster, saving a lot of time. It saves them around 30 percent of their time.

And the false positive rate is very impressive. It saves us a lot of time, about 20 percent, on tuning policies.

We also know that we are compliant in our industry.

The static scanning and the analytics are ideal for me. The static analysis gives you deep insights into problems.

And creating a report is easy.

They need to have a plug-in, a better integration with the development environment. 

I have three years of experience with Veracode.

It is a stable product.

It is scalable enough.

The setup is very simple. I deployed it alone and it took me five hours.

And it doesn't require any maintenance.

I have seen a return on investment of about 50 percent. It has reduced the number of DevOps that we need, saving us about $800 per month.

The pricing is fair. You get a lot out of the product. If you're concerned about the pricing, I will show you how it is cheap.

I would recommend using Veracode to help you understand your software and remove vulnerable code.

We use Veracode to scan our products for code security. Our company also uses Veracode's data security module.

Veracode enables us to build a strong data security layer in our platforms. We can increase customer confidence in data security. Some PCI/HIPAA compliance issues were impossible to resolve without Veracode. I rate Veracode's compliance features a nine out of ten because it provides detailed reports after each scan about potential regulatory violations. 

The solution's static analysis streamlined our DevSecOps process, which previously involved a lot of manual work to trace code vulnerabilities. Veracode reduced our DevSecOps team's time on these tasks by around 20 to 30 percent while drastically improving code quality. 

In the past, we also performed a scan using third-party vendor partners that took days to complete. Veracode conducts a quick dynamic scan each time a new iteration of code is built and deployed into the environment. It gives us an immediate result. We can deploy our products much faster, and there are no delays or surprises after the product is built. We aren't wasting time from development to deployment.

Our overall security posture improved, but we've only been using Veracode in production for less than two months. We expect a massive improvement in the next six to eight months.

The false positive rate is typically less than five percent. False positives can affect how developers use a solution. If we see too many false positives, we might start ignoring alerts. Sometimes the developers lose confidence and may take the work lightly. It isn't an issue currently because the rate is under five percent. 

Dynamic scanning is the most useful feature.

Veracode's ease of use could be improved. I would also like to see more online videos and tutorials that could help us understand the product better. It would also be helpful if Veracode created a certification program for DevSecOps staff to learn about their product and get certified. This kind of training would raise the company's profile within the industry. 

We have used Veracode for about three months. We did a proof of concept for one month, and it has been in production for two. 

I rate Veracode a ten out of ten for stability. We haven't had any issues.

Veracode is scalable, but we haven't scaled it up. However, I expect it will work well when we do.

I rate Veracode support a nine out of ten. Their support system is excellent and highly engaged.

Positive

We tried some Indian solutions and used third-party scans for static analysis, but Veracode is the first time we have fully integrated an enterprise code security solution.

Veracode is a SaaS solution. Setting it up isn't simple, but it isn't too complex. We deployed Veracode with a three-person in-house team. Veracode requires a decent amount of maintenance. You must perform periodic validation checks on how the engine is performing. 

You have to compare the price to the potential cost of data security threats, which could devastate your reputation and revenue overall. We do not doubt that the investment is worth it. It's too early to calculate an ROI, but we anticipate a reduction in overall DevSecOps costs. 

Veracode is priced competitively for our market. 

We evaluated a few other vendor partners and decided to go with Veracode because of the various features they offered.

I rate Veracode a nine out of ten. If you plan to implement Veracode, your DevSecOps should adopt modularized-based code segregation for better visibility into how this ecosystem works. It's crucial to be clear about the solutions you are procuring. There are multiple options, and not everything will work for you. Understanding your requirements, what your customer needs, and what will work best for your product is essential. Purchase the solution most suitable for your product and your company. 

You should also maximize Veracode's benefit by working closely with the tech support team. We don't use many of the features we have procured. Setting up an ongoing review mechanism with Veracode technical support is critical to better understand the product and ensure you get the maximum return for your investment. These are some points that company leaders need to discuss with their DevSecOps and DevOps teams.