Veracode Reviews

We used it for static and dynamic testing to check if there were any vulnerabilities in the code. If there were any vulnerabilities, we would check the report downloaded from the Veracode portal and try to fix the code before deploying it.

Veracode helped me remove errors, and it didn't take a long time to fix any issue because I had an answer regarding where the code needed to be fixed. That feature helped us test our cases and get them deployed. It helped me fix vulnerabilities and any other errors before deployment to the applications.

The SAST and DAST scans—we used it both before code was deployed and after it was deployed—helped us run through the issues and keep track of their status. It was deployed in the pipelines, through Jenkins, and checked the logs in Kubernetes.

The solution also saved us time. I really liked the automatic scanning because there was no way to know where an issue was. Human tendency is to make mistakes, but Veracode helped us find the exact spot where an error was and change it. The reporting helped us do that in a short amount of time.

For our team, it had a very good impact. My manager used to suggest that before taking code to the next level, it was a really good idea to scan it.

I liked that I could easily find out where my errors were. Instead of going through the whole code and the scripts, it showed me where the errors were and gave me an idea of how to fix them.

The reporting was detailed, but there were some things that were missing. It showed us on which line an error was found, but it could have been more detailed.

Also, with upgrades, we had quite a difficult time tracking the reports, so there was some maintenance around that.

I used Veracode for 13 months.

I had a situation that was due to a slow network, and I couldn't get results within a specific time. Because of that, there was a lag in production; we couldn't deploy the code on time. There was a crash, and because of that, we couldn't meet our production deadline.

The downtime happened two or three times. I thought it was due to a network issue when it happened once, but then I came to understand that it was a maintenance issue.

Veracode is really not difficult or complex to understand. The whole concept is simple. It takes some time to get used to the tool, but it is a very simple tool to work with.

It was quite fast. Scanning my code took 25 to 30 minutes, which was quite good.

I have helped other companies implement Veracode Static Analysis in their IT environment. In our company, we need to scan many .NET applications using Veracode, and we could scan our software since it is a SaaS solution, after which we process the reports to improve the product.

The most valuable features of the solution are its extensive reporting capabilities and user-friendly interface.

There are certain shortcomings in Veracode's static analysis engine. I would improve Veracode's static analysis engine to make it capable of identifying vulnerabilities with low false positives.

The product is good, and if improvements are required, then such improvements should not be significant enough. There may be a slight scope to improve the product's integration capabilities. The product can also consider improving its support of different .NET versions and other programming languages, like Java.

I have been using Veracode Static Analysis for three or four months.

Our company faced some issues with the tool, but the support team solved these issues quite quickly. The stability of the tool is high. Stability-wise, I rate the solution an eight out of ten.

It is a scalable solution. We can implement the tool in different DevOps environments and projects, because of which we can create groups of applications and apply different policies to application groups, making it an enterprise-level tool. Scalability-wise, I rate the solution a ten out of ten.

The solution's technical support helped us solve different problems related to Veracode, including some of its use cases. Veracode's support helped our company get around a problem and how to set up the scan rules correctly when we had some unexpected errors during the scanning process. I rate the technical support a nine out of ten.

Positive

I have experience with Snyk. I used Snyk a year ago. Snyk doesn't support the version of the .NET applications we use in our company, so we decided to move to Veracode.

The initial setup was easy since it is a SaaS solution and a well-documented product at the same time. In our company, we don't need to spin up a server to install something since we simply use the web interface and integrate the web interface with the DevOps environment.

On a scale of one to ten, where one is a hard setup and ten is an easy setup, I rate the initial setup phase an eight or nine.

The solution is deployed on the cloud. In our company, we use Microsoft Azure DevOps for our environment, but I don't know the environment in which Veracode gets used in our company. Veracode offers a web interface and API, so I don't know their cloud solutions.

The deployment is quite fast, but its overall quickness in terms of deployment depends on the number of applications you want to scan. If you want to scan one application, the deployment can be quickly done since we need to integrate Veracode into our DevOps environment.

The pricing of the product depends upon the number of codes or the number of applications.

I recommend those planning to use the solution check the system requirements and choose a solution that supports programming languages and .NET Framework versions that record scans.

I am not sure if it is one of the best solutions because I am not an expert in other solutions available in the market. Somehow, I personally feel it is one of the best tools in the market.

I rate the overall product a nine out of ten.

Veracode helps scan applications for security purposes to ensure they are safe before deployment. The solution is continuously monitoring the security of our infrastructure and workflows. About five people use the solution across our organization. 

Our security posture has improved since we implemented Veracode because our developers have a better understanding of the security risks that may arise due to some actions we take on various projects and tasks. We're more aware of how vulnerabilities can be introduced into our daily work. 

Veracode has reduced the amount we spend to remedy security risks by about 60 percent. Security testing is much easier than before. The time needed to address vulnerabilities can affect the workflows and lead to late delivery of our services across customers. It has helped us to mitigate risks by effectively monitoring workflows. The conditional scanning procedures we previously used have been replaced by modern systematic algorithms.

Veracode saves time and costs because it's flexible in terms of an organization's data requirements. It can provide data intelligence from various work platforms and guidance on the best practices for security mitigation so we can safeguard our data in various work processes.

The solution enables us to establish a strategic policy management infrastructure to monitor the performance of each application periodically and report on the security performance. The dynamic analysis gives us feedback from time to time and performance metrics inside the program interface. 

This platform is one of the most efficient and effective tools for upgrading applications to meet an organization's performance standards and policies. It helps us improve our development because sometimes the coding procedure might not reflect the latest threats. 

Veracode's most valuable aspect is continuous integration. It helps us integrate with other applications so that it can monitor the security process. By continuously scanning our applications, we can mitigate risks that may arise in some workflows. It streamlines compliance, policy management, and reporting on various data analytics. We use it daily to gain insight into our work processes.

The solution is built into our SecOps program. It offers modern policy management, essential support, and analytics features. It's efficient with fast and powerful risk-mitigation tools.

I think Veracode could integrate some advanced technologies to better address new threats as they arise. 

We have used Veracode for about a year.

Veracode has been a stable product. We've had some downtime, but it has performed well overall. 

I rate Veracode support a nine out of ten. Veracode's support team has always been helpful. When we contact them by phone or online chat, they respond quickly with a solution within the time frame established in our support contract.  

Positive

Deploying Veracode was straightforward, and we had help from the vendor's support team. Our deployment team has six members, and the whole process took about three weeks. 

After deployment, the product requires some maintenance. We sometimes face some networking challenges that require repairs, and we need to periodically update some tools.

Veracode is a good investment, and I can recommend it to anyone who is looking for the best security tester. I estimate that we saw a 60 percent ROI this year, and it continues.

Veracode is a little costly. It's cost-effective for a large enterprise, but it may be too expensive for small businesses. 

I rate Veracode an eight out of ten. I would recommend it to others who need to do testing for application performance or security and risk management. 

The most important purpose of this platform is code security. We are able to scan our code and find security flaws.

Veracode has saved us a lot of time because we have been able to reduce manual processes. We are able to do most things automatically with the platform. It has saved us between 30 and 40 percent of our time.

The main feature, and one of the most important, is the static code analysis. We are able to complete an analysis of the security flaws with this platform. It's very good at helping us find and fix flaws.

The sandbox environment is also one of the features we are using as well as integration with our CICD pipeline, which is very useful. The product is pretty easy to understand, which is quite good.

The policy reporting for ensuring compliance with industry standards and regulations also helps us a lot.

It gives us visibility into application status at every phase. We have definitely seen an improvement in that regard.

I'm pretty new to this platform. I'm going with a trial right now and have been using it for about a month. We have spent most of our time analyzing the code.

It's a stable product.

It is also very scalable.

The support team could be more responsive, and the dependency of users on the support team is too high and should be reduced.

Neutral

This is the first such tool we are using.

The initial deployment was not very complex. It took us around 15 days because we were trying to understand the policies and many other things. Our team has 15 people and everyone was involved in making some decisions regarding the solution.

We have only needed help with the product itself. That's what we have reached out to their team for. But there hasn't been any maintenance of the product for us.

The pricing is a bit high. Although we are in a trial phase, if we are going to make the decision to purchase the software, the pricing is going to be high for us.

We are able to justify the false positives because security flaws are one of the biggest things that Veracode's features help us with.

Overall, the product is good. It has made a very good impression. There are some flaws, as I have mentioned, but overall it looks very good, with the features I've mentioned. The impact on our security has been good. The main challenge for us will be the pricing, but if we ignore that factor, the impact has been very good and we would definitely implement Veracode.

I would suggest having a look at Veracode. Go for a trial of the system to see if Veracode is something that can help solve your problems. Pricing should be ignored because there are definitely some very specific features that help a lot. 

We are developers who utilize Veracode for the static and dynamic scanning of our applications.

Veracode provides both us and our customers with confidence that our applications do not have any issues by helping to prevent any vulnerable code from being deployed in production.

Veracode has helped us improve the way we conduct static and dynamic code testing in our organization. Based on the reports we receive, we can quickly identify what needs to be fixed immediately after the scan. For minor issues, we are given time to address them after moving into production, but for major issues, the application is unable to enter the production phase.

We utilize Veracode for static and dynamic code scanning in our software configuration and lifecycle management. It is integrated as part of our pipeline, allowing the code to be automatically scanned in the background. This enables us to review the reports promptly.

The information provided by Veracode enables us to easily rectify vulnerabilities in the workflow.

Veracode can help our developers save time, depending on the issue and the age of the application.

Veracode saves time by automating the basic tasks that were previously performed manually.

Veracode has had a positive impact on our security stance and has empowered our customers to confidently migrate their applications to the cloud.

The static scan and the detailed reports, which include issue information and permissions, are the most valuable features.

Veracode does not support scans for .NET Blazor server applications. We encounter errors whenever attempting a scan. I would appreciate it if Veracode could incorporate support for these applications.

I would like Veracode to offer code support for the latest releases of .NET whenever they are released by Microsoft.

I have been using Veracode for over one year.

Veracode is stable.

The technical support is helpful, but they operate on their own schedule, so in certain instances, we have to endure a considerable wait for a resolution.

Neutral

I give Veracode an eight out of ten.

Our customer provides us with a Veracode profile account for uploading and testing code. We do not manage the solution or have any insight into how it is deployed.

I highly recommend Veracode for assisting in identifying vulnerabilities in code.

I have learned that Veracode can confidently scan and detect vulnerabilities in code. However, for older or unsupported applications, we need to seek an alternative solution.

Because Veracode is more interactive than Secure Code Warrior, the big benefit for our organization will be that the developers will not just get the blue team excited, but they will learn to think like the red team, like an attacker. The interactive labs will help developers see that some of the red team attack methods aren't that hard to do, and that will bring them more security awareness. 

Because developers will see exactly how you do a certain type of red team attack or exploit, they will understand that it's important that they don't think, "Oh, this could never happen." And when they realize that some of the attack methods are not so hard to implement, they will secure the code base and fix the vulnerabilities that already exist.

For example, when I tried SQL injection labs, I learned new ways to make those, and that is extremely valuable for me because. If I'm working with a code base, I can know exactly how to mitigate SQL injection, because not all systems are using Hibernate. I've been on code reviews where I could actually point out things related to injection, which is something I wouldn't have been able to do without Veracode.

Another big benefit for our organization is that it is more interactive and fun, in a way, than Secure Code Warrior. Developers will engage and spend more time in Veracode.

It has had a good effect on my security posture because the labs are very informative with current information, showing you some of the things that could be done by attackers if your code is done incorrectly. I have retained more useful information in a fast manner.

And if we talk about scanning, we will see advantages there as well. For example, I'm working on a Java project and because Java is a high-level language, it's hard to make code errors. But if I worked with C or C++, the scanner tool would be very good. If you take the OWASP dependency checker, for example, it goes through all the third-party dependencies which are often where the trouble is in a Java project. However, I have heard that you can upload the necessary files and it will go through the third-party components as well and, in that case, it's very beneficial for the organization to have such a tool.

It can be very hard to make a good lab environment with a console with log windows and code bases. What I like about Veracode is that they managed to do that. It has a very responsive graphical user interface and has worked very well. I was very pleased with that.

I like the web interface of the interactive labs and the information there. It's very well done by those who developed it, and it works very well. It's very fun and you get to learn new things and think like an attacker. It's not like on TryHackMe, but the information I got from doing the labs here was information that I didn't have before. The quality of the information was really good.

When I started to use Veracode, there were a lot of policy documents and I actually have a habit of always reading those. I haven't made a list of all the regulations and policies and how well it complies with all the security regulations, but from what I could see, it is aligned with security regulations and certifications. And in the lab environment, they have divided things into different topics like OWASP top-10. That is very actual and follows the security guidelines that are commonly accepted by organizations today.

I would like to see more AI features. It's a current subject because with ChatGPT and other solutions being developed all the time, IT attacks will increase. I actually talked to the CEO of an IT security company in the United States because he ranked the top-10 IT security risks this year, and one of the biggest risks was new vulnerabilities or attacks would occur because of ChatGPT and similar services. To defend against those it's very important that the good guys use AI in ways that are good instead of bad.

I have been using Veracode for about two weeks. I recently got access to Veracode to test it. I've been spending a lot of time on it, working with it in the lab environment. I have also tried out the scanning tools for code bases, but I mostly have experience working with it in the lab environment.

I haven't used it for very long, but I have never experienced any problems with the stability.

We are an enterprise-size company and I know that our security employees are using Veracode and some of the developers as well, but I don't know to what extent developers are using it. It's pretty widely used across our organization.

I give their technical support a very high grade. I was in contact with them with an inquiry I had, and there was a very fast response time. They took my request and prioritized it. They were nice as well, and that's how you want support to be, although not every support team is like that.

Positive

I was previously working with Secure Code Warrior which is very different, but it's within the security field.

I've been using the security platform TryHackMe a lot, which also has a web console, but I wouldn't pay for the kind of console window that TryHackMe had. It has a lot of good aspects, so no disrespect to them; I learned a lot from it. But I understand how hard it is to create that and Veracode has managed to do so in a responsive way that works well. It's very impressive.

Scanning tools are a big safeguard for getting vulnerable code out of production. It's almost mandatory today to scan applications because there are so many attacks happening in the world right now, no matter which solution you use.

I was very pleased when I tried Veracode because I hadn't heard about it before, but it was much better than I thought.

In my previous company, we had a healthcare app. We used Veracode to run a spontaneous static analysis as well as dynamic analysis, to resolve our vulnerabilities. We were releasing versions every month. Each month we were looking at the results of Veracode and fixing the problems.

It helps fix a lot of flaws and bugs. As a developer, you look at things with a different perspective with the Veracode results. You can see that certain things can be implemented in another way, how they can be more secure. As a result, it helps improve your level of understanding and decrease the number of production issues.

Using Veracode, it was very interesting to see the difference when I compared things over a three-month timeline. During the initial three months, when I started using Veracode, I found the percentage rate of flaws was around 60 to 70 percent in the entire file we were uploading. After using Veracode over the next three months, our score decreased to a 30 to 40 percent flaw rate. We were able to do our quarterly development in a very secure way.

For example, we recently encountered a flaw that might be exploited. We implemented a function to store passwords that were encrypted. That functionality was written in a pretty vulnerable manner. By looking at the code, we could see, "Okay, this might be exploited." But when Veracode pointed out multiple times, "This might be vulnerable," and "This might be vulnerable," it helped us improve our developer standards. It gave us a brief idea of how this particular code implementation could be improved.

There is also a feature called Veracode Pipeline Scan which provides instantaneous feedback. That was a major addition to our process and has worked out very well. Developers get instant feedback about their flaws, making them easy to fix while in pre-production. That is one of the major boosts that we have implemented. It enables our developers to fix things in parallel, and that has saved time, about 20 to 25 percent, and resulted in better coding. As a security guy, I can see the differences between the initial processes and the processes we have six to eight months after implementing Veracode Pipeline Scan and Veracode in general. 

Overall, it has reduced the time that we used to spend working manually to pinpoint the issues that we found. Veracode makes it an automated process. Also, we can use it in parallel. If Veracode is the main "hub," we can have "sub-hubs" such as static analysis and Veracode Pipeline Scans. Both can be done simultaneously, reducing the manpower required by a lot, and providing correct results. And it has improved our understanding of the different kinds of flaws and vulnerabilities that are in the report. Veracode, as a tool, has made things better.

In terms of security posture, when I had just joined my previous organization, there was a meeting about client feedback. Initially, their comments were that things were not very stable. They said it was easy to steal data. After using Veracode, and as our developers adapted the tool and developed secure code, the client's feedback was that things were pretty stable and good. At first, the feedback was very ruthless. We were not up to security standards. But once we started using Veracode, it became the main pillar of our security. We overcame certain challenges and the client feedback was pretty good.

It yields around 90 percent accurate results. It pinpoints the errors. Its accuracy is very interesting. It also elaborates on flaws, meaning it provides you with details about what is valid or not and how something can be fixed.

Another valuable feature is in the dynamic analysis, which provides information on which libraries are outdated so that we can improve them and get them up to date. We found a lot of outdated libraries in use in our organization. As a result, it has improved our stability. The software composition analysis keeps you updated on each kind of data it reports on, including libraries and third-party DLLs.

There is a sandbox limit of 10 so any company using Veracode needs to plan for only having those 10 sandboxes. If they increased that to 25 or 30, the scan time would decrease and the results should be more effective.

There is also a size limit of 100 MB so we cannot upload files that are larger than that. That could be improved. 

Also, the duration of the scan is a bit too long.

I used Veracode in my previous company but recently changed to a new company. Overall, I have used it for around 1.5 years.

Its stability is fine. On a scale of one to 10, I would give it a seven for stability.

It's a scalable solution.

We have it implemented in two offices, the main office in the US and a single office in India. There are only 10 to 12 people using it in our organization, meaning in India. I am not aware of how many users there are in the US.

Their support team needs to respond in less time. It takes a lot of time for them to respond. When we reach out, we are waiting, most of the time, for two or three weeks to get a reply from them. That is the one major piece of feedback I have for Veracode.

Their technical support is very good, except for the response time. When we are stuck with something technical, they explain how to use it in multiple ways. They are supportive and that is pretty good.

Neutral

We were using a couple of other tools along with Veracode. One was SonarQube and the other was Acunetix.

The false positive rate is pretty low. When I started using Veracode, there were a lot of false positives, but that number became notably smaller. There are some false positives because new types of flaws are generated for each new version.

Initially, in general, whenever you see any kind of false positives or true negatives, it reduces your confidence. But whenever the reports are generated by Veracode, as developers we can understand that they show certain patterns of what might be a false positive. So we get an idea that this kind of a flaw might be a false positive while this kind might not be a false positive. We get clarity about the reports sent by Veracode. At a certain point, we might be sure that we can explain all the false positive data to management so that they can look into them and understand: If this kind of data or this kind of code flaw comes up, it is a false positive. We can easily associate these scenarios with false positives because they are normal and common.

During the initial phase, false positives affect our time because we can't deduce any conclusions. Static analysis is the kind of process in which you will encounter false positives in certain cases. But after a couple of implementations of machine learning, the results should be pretty accurate and the false positives should decrease.

Preventive maintenance is critical. Per my experience with Veracode, there are certain maintenance issues, but they are the normal types of things.

I would highly recommend Veracode, but initially, don't do a deep dive into the tool. Take a couple of licenses to start adapting to the tool and work out how it works and whether it's suitable for your development processes and developers, and get their feedback. I highly recommend it because it's a real time-saver, provides stability, and improves your organization's productivity.

We use it for security validation. As a company, we need to make sure that our code is secure. Not only do we need and want to do this for ourselves, but we also need to do it because of our security obligations to our clients.

It has been helping us capture security vulnerabilities that we would not catch otherwise.

When it comes to our ability to fix flaws, Veracode has given us more visibility into certain flaws that could show up, flaws that can be subtle and not seen in the code. For example, though it was not obvious, there was a case where a developer naively added the authentication into the code, which we're not supposed to do, obviously. It was not seen by our review process, and Veracode caught it and we were able to eliminate it.

It has also helped us to save time. The example, and where I see the most benefits of that, is in the Security Labs, where I have the developers training and constantly improving their security, and remembering their security techniques. That way, they are more proactive and make sure things are correct. They're faster because they're doing it in the first place.

Overall, in terms of our security posture, Veracode has made us more reliable. We're finding those flaws and our clients trust us more because of it.

And when considering whether it has reduced the cost of development, security, and operations for us, the short answer is no. But the long answer is yes. It clearly has added more procedures in place, which we needed to have, and that has definitely increased the cost of development. But in the long-term, how much have we saved from the intangible of a flaw not being exposed?

The Security Labs feature, in particular, is valuable, and I have been using the static code analysis as well.

I do have two pet peeves with the platform.

1. The user interface is slow as a dog; really slow. You go to any modern interface and it's a lot more snappy. Even though I understand a lot of what they're doing and why it might be slow, it is really slow. You click on something and it takes two to three seconds. That doesn't sound long, but it just feels super clunky.
2. There are many times when their product goes to check my code and it dies, and I don't know why. I've contacted support and they're not really helpful with this particular problem. I go to the logs and I look at what I can but I can't tell why the check process has essentially just died in the middle of checking.

Other than those two complaints, I still find it very strong and powerful.

In terms of additional features, the big one I would like to see is that, right now, I have to click through too many things to get to the triage report, which is the main thing I want to see for anything. I have to click through this one screen that doesn't give me any information and I really just want to get to the mitigation review screen quickly. Anything that would save me going through clicks and four or five different screens, because the interface is slow, would be fantastic. I want to get to that mitigation screen because the summary screens are not all that interesting to me. I need to know, "Is this mitigated? Is it not?" and get it checked off and reviewed.

I've been using Veracode for two years.

It has been a very stable product. I don't think the issues that we're having are related to its stability.

The scalability is "medium" because one of the things I've been having to do now is scale out more of the microservices by tier so that I can verify that the code is correct per tier. For me to scale up like that seems to be taking a lot of effort. I might be doing something wrong. Maybe it could be solved in a different way. But the scalability is average. On a scale of one to 10, I would put it at about five.

We do have plans to use more of Veracode. We are expanding into the SCA, where it is scanning the containers, and we've also just contracted with Veracode to do penetration testing.

The one time I had to use their technical support for the bug where a code check dies, I found them a little off-putting. They have never really fully answered the question. I got tired of asking because they didn't understand what I was saying.

During installation, their support was fantastic, a 10 out of 10. But in dealing with this one issue, I would give them a two.

Neutral

We haven't used another solution. Veracode is the first solution of this kind that we have worked with.

The initial deployment was pretty straightforward. We ran into some issues, but honestly, nothing out of the ordinary. I would definitely put it toward the easy side. I found the documentation to be appropriate.

The deployment time was days.

We are using Jenkins as our CI/CD. We're using Amazon Cloud K8 deployments.

We integrated it in two different ways. The original way was with AWS CodePipeline. For that, we used Veracode's Docker service. Once we had it hooked up and could send the file, that was pretty easy to use. The second way is we now actually use Jenkins for our code build. We do the same thing although we're going to change to the Jenkins plugin here shortly. But it was still the same, with the ability to use Docker to send the file to Veracode. Once we wrote it, it was really easy, which is why we did it that way on Jenkins. Through both of them, the implementations worked easily.

From the time of deployment, we saw the benefits within one to two months, which was fairly immediate.

There is maintenance required because, sometimes, the pipelines for our code review essentially stop. I have to go and check that, as I mentioned earlier. The second piece of maintenance is that if there are any flaws or false positives, you have to mitigate those results. We have two people involved in the maintenance.

I did the original Amazon CodePipeline implementation by myself and got it hooked up. As we went to more complex things, with Jenkins, that was done through an integrator DevOps team. On our side, it was just me involved.

I'm sure we have seen ROI, but I do not have a direct metric on it. There are a lot of intangibles in that. For example, what would be the cost of a particular flaw that we caught with Veracode, if it had gone live?

When I looked at the pricing, it was definitely a value. In terms of the service and what it's checking, the cost was very reasonable, particularly because we could have multiple code bases as part of a project.

Make sure that you're comparing apples to apples if you're concerned about the price of Veracode versus what you're reviewing. Some of the stuff that Veracode does and applies is not the same for other services. When I really compared apples to apples, I found Veracode to be rightly priced.

There were no costs in addition to the standard licensing fees, although we just signed up for a couple of other products.

We looked at other solutions but one of the big things that made a huge difference with Veracode had to do with pricing. Because we're moving more and more toward a microservices architecture, and we have about six code bases that make up our entire product, they made it clear that as long as something was a part of our product, it was the same price. That was amazing to us because competitors charged per code base. It was definitely a more economical solution and the one that made more sense, and is more in line, with our product. That really simplified the thought process for us and was a huge competitive advantage.

Veracode is a valuable tool to have in the toolbox to prevent vulnerable code from going into production. Veracode's false positive rate has been very good. It's reasonable. False positives take more time, but I have not noticed that time to be a significant burden. Its policy reporting for ensuring compliance with industry standards and regulations is adequate. 

In terms of having visibility into application status at every phase of deployment, Veracode doesn't provide that. It doesn't control the whole deployment cycle, so there's no way it can report on all of it.

The platform's interfaces look slightly antiquated but don't let that stop you from using it, because it has been a good solution for us.

The biggest lesson I have learned using it is that it's really nice to have these security checks in a single place in your code pipeline. We have multiple security companies at this point, but having the code review and product review security in one place helps us know that that part is "containerized." Having everything dealing with code review in one place is nice.