Veracode Reviews

Software Composition Analysis (SCA) is used to detect vulnerabilities in open source libraries, which are used by our customers for their own product. 

We are a consulting company who provides consulting services to clients. We don't buy the software for our own internal use. However, we advise customers about which solutions will fit their environment.

Most of our clients use SCA for cloud applications. 

For application security, the SCA product from Veracode is a good solution. It has a good balance. Altogether, the balance between the outcome of the tool, the speed of the tool, and its cost make it a good choice. 

One of the reasons why we recommend Veracode because it is very important in that SAST and SCA tools, independently from the vendor, should work seamlessly within the build pipeline. Veracode does a good job in this respect.

In this day and age, all software is developed using a large amount of open source libraries. It is kind of unavoidable. Any product application has a lot of embedded libraries. In our experience, many times customers don't realize that it is not just a code that can be vulnerable, but also an open source library that they may take for granted. In many ways, this has been a learning experience for the customers to understand that there are other components to open source libraries, and that SCA is an invaluable tool to address those issues.

SCA provides guidance for fixing vulnerabilities. It provides extensive guidance for both writing secure code and pointing to vulnerable open source libraries are being used.

From the time it takes for the solution to detect a vulnerability, both in the source code and the open source library, it is efficient. 

Within SCA, there is an extremely valuable feature called vulnerable methods. It is able to determine within a vulnerable library which methods are vulnerable. That is very valuable, because in the vast majority of cases where a library is vulnerable, none of the vulnerable methods are actually used by the code. So, if we want to prioritize the way open source libraries are updated when a library is found vulnerable, then we want to prioritize the libraries which have vulnerable methods used within the code. 

The Static Analysis Pipeline Scan is faster than the traditional scan that Veracode has. All Veracode products are fast. I have no complaints. On average, a piece of code for a customer takes 15 to 20 minutes to build versus the Static Analysis Pipeline Scan of Veracode that takes three or four minutes. So, that is 20 to 30 percent of the total time, which is fairly fast.

Most of our time is spent configuring the SAST and SCA tools. I would consider that one of the weak points of the product. Otherwise, once the product is set up on the computer, it is fairly fast.

Like many tools, Veracode has a good number of false positives. However, there are no tools at this point in the market that they can understand the scope of an application. For example, if I have an application with only internal APIs and no UI, Veracode can detect that. It might detect that the HTML bodies of the requests are not sanitized, so it would then be prone to cross-site injections and SQL injections. But, in reality, that is a false positive. It will be almost impossible for a tool to understand the scope unless we start using machine learning and AI. So, it's inevitable at this point that there are false positives. Obviously, that doesn't make the developers happy, but I don't think there is another way around this, but it is not just because of Veracode. It's just the nature of the problem, which cannot be solved with current technologies. 

Once we explain to the developers why there are false positives, they understand. In Veracode, embedded features (where there are false positives) can be flagged as such. So, next time that they run the same scan, the same "vulnerability" will be still flagged as a false positive. Therefore, it's not that bad from that point of view.

Veracode has a few shortcomings in terms of how they handle certain components of the UI. For example, in the case of the false positive, it would be highly desirable if the false positive don't show up again on the UI, instead still showing up for any subsequent scan as a false positive. There is a little bit of cluttering that could be avoided. However, that is not necessarily a shortcoming of the product. I think it's more of a shortcoming of the UI. It's just the way it's visualized. However, going forward, I personally don't want to see any more vulnerabilities that I already flagged as a false positive.

It does take some time to understand the way the product works and be able to configure it properly. Veracode is aware of that. Because the SCA tools are actually a company that they acquired, SourceClear, the SCA tool and SAST tool are not completely integrated at this point. You are still dealing with two separate products, which can cause some headaches. I did have a conversation with the Veracode development team not too long ago where I voiced my concerns. They acknowledged that they're working on this and are aware of it. Developers have limited amounts of time dedicated to learning how to use a tool. So, they need quite a bit of help, especially when we're talking about this type of integration between the SAST and SCA. I would really like to see better integration between the SAST and SCA.

I have been using it for almost a year.

It is stable. One of the selling points is that it is a cloud solution. The maintenance is more about integrating Veracode into the pipeline. There is a first-time effort, then you can pretty much reproduce the same pipeline code for all the development teams. At that point, once everything runs in the pipeline, I think the maintenance is minimal.

We have deployed the solution to FinTech or technology medium-sized companies with more than 100 employees.

Their technical support is less than stellar. They have essentially two tiers: the technical support and the consulting support. With the consulting support, you have the opportunity to talk to people who have intimate knowledge of the product, but this usually takes a bit of effort so customers still like to go through the initial technical support that is less than stellar. We rarely get an answer from the technical support. They seem a lot more like they are the first line of defense or help. But, in reality, they are not very helpful. Until we get to the second level, we can't accomplish anything. This is another complaint that I have brought up to Veracode.

One of the reasons why we decided on Veracode is because they have an integrated solution of SAST and SCA within the same platform. Instead of relying upon two different, separate products, the attraction of using a Veracode was that we could use one platform to cover SAST and SCA. 

The SAST tool is pretty straightforward; there is very little complexity. The pipeline works very well. The SCA tool is more complex to set up, and it doesn't integrate very well with the SAST tool. At the end of the day, you have essentially two separate products with two separate setups. Also, you have two different reports because the report integration is not quite there. However, I'm hopeful that they are going to fix that soon. They acquired SourceClear less than two years ago, so they are still going through growing pains of integrating these two products.

The setting up of the pipeline is fairly straightforward. It works a lot of the main languages, like Java, Python, etc. We have deployed it across several development teams. Once we create a pipeline and hand the code to the developers, they have been able to make a little adjustment here or there, then it worked.

For both SCA and SAST tools, including documentation, providing the code, writing the code for the pipeline, and giving some training to the developers, a deployment can take us close to two weeks. 

Deploying automated process tools, like Veracode, Qualys, and Checkmarx, does take more effort than uploading the code manually each time.

As long as developers use the tool and Veracode consistently, that can reduce the cost of penetration testing.

Checkmarx is a very good solution and probably a better solution than Veracode, but it costs four times as much as Veracode. You need an entire team to maintain Checkmarx. You also need on-premise servers. So, it is a solution more for an enterprise customer. If you have a small- to medium-sized company, Checkmarx is very hard to use, because it takes so many resources. From this point of view, I would certainly recommend for now, Veracode for small- to medium-sized businesses. 

Compared to other similar products, the licensing and pricing are definitely competitive. If you see Checkmarx as the market leader, then we are talking about Veracode being a fraction of the cost. You also have to consider your hidden costs: you need a team to maintain it, a server, and resources. From that point of view, Veracode is great because the cost is really a fraction of many competitors. 

Veracode provides a very good balance between a working solution and cost.

There are other products in the market. However, some of those products are extremely expensive or require a larger team to support them. Often, they have to be installed on-prem. Veracode is a bit more appealing for our organizations who don't have larger AppSec teams or where budget is a constraint. In this respect, SCA is a good solution.

We have been using Checkmarx for years, but mainly for their on-prem solution. They do have an offering in the cloud, but we haven't done any side-by-side tests in respect to speed. We did do a side-by-side comparison between Veracode and Checkmarx two or three years ago from a technical ability standpoint. At that time, Checkmarx came in a bit ahead of Veracode.

Checkmarx is more complex to set up because it is on-prem with multiple servers as well as there are a lot of things going up. If you have a larger budget and team, look into Checkmarx because it is a market leader. However, when it comes to a price, I would choose Veracode for a smaller company, not a large enterprise. 

Another consideration for Checkmarx, as an on-prem solution, is that you are pretty much ascertained that your code doesn't leave your company. With companies like Veracode, even if they are saying that you only upload the binary code, that's not quite true. The binary code can be reverse-engineered and the source code can be essentially reconstructed. For example, Veracode would not be suitable for a government agency or a government consultancy. 

For DAST, our customers like to use Qualys Web Application Scanning. There are very few players out there that can test APIs, but Qualys is one of them. 

Another promising solution that allows for testing APIs is Wallarm. We have done a couple of PoCs with them.

We tested Black Duck a few years ago, but they only had a SCA solution. They didn't have a SAST solution. I think they do now have a SAST solution because they acquired another company, Fujita.

I don't think that Veracode has helped developers with security training, but it helps developers have a reality check on the code that they write and their open source library. That is the best value that developers can get from the product. 

Veracode products can be run as part of the development pipeline. That is also valuable.

It integrates with tools like GitHub or Jenkins. At a high level, it does integrate with most of the pipeline of tools. It would be a showstopper if the incorporation of security was not in the developer workflows. We are past a time when developers or software engineers run a SCA or DAST scan on the code, then hand it off to the development team. What works instead is to inject a security tool in a development pipeline, which is why it is absolutely paramount and important that tools, like Veracode, be a part of the build pipeline.

We limited the user to SAST and SCA. We haven't used any of the penetration testing, especially for the DAST solution that they have. For that, they are behind the curve, meaning that there are other products in the market that are being established. In my opinion, they don't have a viable product for DAST, because I believe they are not even testing APIs. So, it's not mature enough. We also have never used their pen testing because that is one of the services that we provide.

At this point, Veracode is one of the best solutions available, though it's not perfect by any means, but you have to work with whatever you have.

I will give the solution a seven (out of 10). When they integrate the SCA and SAST portions more tightly together, I could probably bump it up to an eight. Also, if they make improvements to the UI and the support, they can get a better rating. However, at this point, I would still pick Veracode for a company who doesn't have a million dollar plus budget.

Our primary use case of this solution is for static and dynamic analysis along with the source gear for the third party dependency (not IDM). 

We were looking into actually moving towards IDM, but that's the extent of my knowledge. They are licensed as two separate products. They're part of the same platform, but they are licensed separately.

We have Veracode, Veracode Developer Training, Veracode Software Composition Analysis, and SourceClear. SourceClear and SCA are pretty much the same. They just support different languages. Veracode as a whole, the top option, is the one that includes everything.

We are using the Veracode tools to expose the engineers to the security vulnerabilities that were introduced with the new features, i.e. a lot faster or sooner in the development life cycle. We rely on this set of tools to automatically scan our artifacts when they are moving to different environments. 

We got it to the point that when we were promoting the artifacts from desktop to the server environment, we already had the scans completed. We knew the vulnerabilities that we were introducing with the new features ahead of time, i.e. before the QA department was finding them. That was the main reason we decided to use Veracode or to use tools for static analysis and dynamic analysis.

With Veracode, it's not about features for us. It is about the pricing model that they offer. To be honest, with their vulnerability database, the total amount of false positives that we're getting is very low. 

That's the main reason we use Veracode over anybody else. New Veracode features could include a very big database of actual vulnerabilities to be better than other products.

Veracode owns SourceClear. They bought them in 2017 or 2018, and they still are not fully integrated with the actual Veracode dashboards. Right now, you have to use two separate tools from the same company. One for the static analysis and dynamic analysis, then the second one for the third-party dependency. 

That is an area that they need to improve the service. Veracode needs to bring the second tool in already to the dashboard so that we don't have to use two separate logins. We don't want two different sets of jobs that we have to upload into two different places, etc. Veracode also needs better integration of their tools to each other.

Veracode should make it easier to navigate between the solutions that they offer, i.e. between dynamic, static, and the source code analysis. The SCA feature is on the website. Veracode should integrate SourceClear with the company product line finally after two years. I would love to see that. 

Veracode did not previously support Python 3. They just released the support for Python 3. Keeping updates coming quicker would be the main thing that I would love to see, i.e. to have all these solutions better integrated.

We have been using Veracode as a solution for almost two years.

It's a very stable solution.

Scalability is the main issue with Veracode. For my company, the outlier is out there, but when it comes to scalability, we had issues with automatically scanning springboard artifacts. If you scan the artifacts, they want the artifacts to be packaged in a specific way. This is very well documented on the website but it's not the way we're doing business. 

The workaround was taking the build that was getting put together by Jenkins and moved through the environment. We had to make a separate one, packaged differently just for the tools to work. For the scans to work, if that makes sense. Maybe we are just weird in the way we package our artifacts but maybe many are having the same issue.

We have about 200 engineers that have user roles in the solution. There are different roles. We have security administrators. We have team leads. We have managers. Their roles are all very well put together. Each team has a manager that has access to more features than the rest of his team. They can create things, delete things, compared to the regular guys that can only see the reports. It's very well structured, from that standpoint.

Theoretically, everything is integrated with Jenkins, so the staff depends from one application to another, i.e. three people or eight people from our side. From their end, in our pricing model, we have access directly to an account manager. They have a team of engineers that usually help us if we encounter any issues. It's very extensive in use. We have about 80 services and applications going through using the scanning solutions that Veracode has and we are scaling up.

The solution's technical support is absolutely fantastic and very fast. Veracode has very fast resolution and response times. Usually, when we have an issue, it's only a few hours before we get an answer from them.

Another time, the Veracode integration wasn't working and in about 3 days we came up with a solution to our problem. At the high level, the beginning of the conversation with Veracode tech support is pretty fast. It's only a few hours. 

Coming up with a solution takes two to three days at the most with Veracode. We pay a lot of money for that. You get what you pay for.

We never did use other products. The reason we started looking into IBM and WhiteSource was because of the hiccups or the speed bumps we were encountering with our springboard artifacts. We were in the process of evaluating other products and I think it's still a valid option. I wouldn't advertise it, but we were in the process of changing from Veracode just because of that one particular issue.

We had to build our artifacts differently than before just to scan them, i.e. instead of scanning the ones we were publishing. It's not a big deal overall, but it would be nice for the solution to work out of the box with everything that's out there. Instead, many companies are changing the way they're doing business just for this small little step in the delivery process.

I was not involved with the initial setup. When we were uploading new applications to their solutions it was very straightforward. Their documentation is really good and very detailed.

In the worst case scenario, if the implementation engineer just runs through the material, you can go on the website for resources. The way they have everything documented is very good. Veracode is very well documented.

I do not have any information on ROI. We became better from an engineering standpoint, but I don't know if we saved a ton of money in the process.

They just changed their pricing model two weeks ago. They went from a per-app license to a per-megabyte license. I know that the dynamic scan was $500 per app. Static analysis was about $4500 yearly. The license is only for the number of users, it doesn't matter what data you put in there. That was the old model. I do not know how the new model works. 

We are in negotiations with Veracode. The old model was about $500 for dynamic analysis and about $4500 for the static analysis, per app or service, per year.

Veracode offers a lot of other license options that you can put on top of what we just discussed, but I don't think we ever looked into any of those. The way we implemented it was very straightforward. You have your app and you pay this much for both dynamic and static licensing. That's all we cared about per year. 

We looked at IBM before we decided to go with Veracode. I've seen the documentation that our director of information security put together. 

We looked at six different solutions before we went with Veracode. Another company does their pricing model based on lines of code. WhiteSource was one other option we evaluated.

We did review a few of them. IBM App Scan and WhiteSource were definitely on the list. I don't remember the rest of them.

If the springboard issue doesn't hold them back and the pricing model stays the same as the one that we have right now for this year with them, it's a good deal. Veracode is pretty straightforward to use and the support is really good. We don't have a lot of complaints about that. 

I don't know how the pricing model is going to change the actual price of the application. On a per license basis, Veracode has a very lucrative way of doing business. I don't think a big company that has a lot of services and applications would enjoy paying upwards of $200,000 per year to scan all their code. 

Prospective customers should look at how the pricing model affects them, especially if they are in the microservice type of architecture or if they are moving towards something like that.

I would rate Veracode an eight out of ten just based on the experience that we had the past two years. The reason it's not ten is because of the ways these tools integrate. 

That rating is at risk of becoming a seven now with the pricing model changing. Veracode is probably not going to be that attractive anymore compared to other competitors. We knew other competitors were more expensive. The reason that we didn't go with them was that Veracode was very straightforward.

It has allowed us to scale and find vulnerabilities much faster than previous manual tools. It has allowed us to educate developers on it to use the consultation calls.

The most valuable feature is the remediation consulting that they give. I feel like any vendor can identify the flaws but fixing the flaws is what is most important. Being able to have those consultation calls, schedule them in the platform, and have that discussion with an applications expert, that process scales well and that is what has allowed a lot more reduction of risk to happen.

I would like to see more technical support for some of the connectors, some more detailed diagrams or run-books on how to install some of the stuff; more hand-holding in the sense of understanding our environment.

They cover a lot of languages already and it doesn't make sense for them to cover legacy languages but I know there is a need for covering legacy languages.

My biggest need, the kind of feature I would want, is more on the technical support side.

In the early years, it was a little less stable but I know they have switched to more of an Agile CI/CD methodology and I have seen a lot more stability since they moved to that methodology.

One of the best things they offer is the scalability. The fact that you can work with it through the cloud means that if you have unintegrated business units, you don't have to worry about having a solution on-prem and having the network connection; you don't have to worry about giving up source code, you are just sending your binary files for most of the applications. So it scales much faster.

The technical support is good. I like the fact that you can email Veracode support. You get a very fast response, usually within the same day. 

If you don't have an SPM, Solution Program Manager, to escalate issues after that - you don't have to escalate a lot of issues, but if you do and you don't have feature - that is where they seem to fall down a little bit. So they need help with their level-2 and level-3 support. They do very well at level-1 and then you need to escalate, sometimes. That is where they need to improve a little bit.

At a previous company, we were using HPE Fortify. We couldn't scale because it was an on-prem solution. Therefore, after five years, we decided to break out of the mold and use a SaaS solution. We were comfortable at the time doing so because we weren't sending source code, for the most part. As soon as we went to a cloud solution we scaled dramatically.

What I look for in a vendor is 70 percent a technical match with the features and benefits we need and for the remaining 30 percent, I look at the culture of the company because, for me, it is a relationship. I want to have a partnership and I want it to feel like a win-win. If they feel like it is a short-term decision, get in get out, I want to know that. I want to be able to talk to them at any time and add service enhancements, feature enhancements, those kinds of things. It's a 70-30 split for me.

The implementation is straightforward in the sense that there are a lot of APIs to integrate, and they have a lot of connectors that do that for you.

HPE Fortify, Checkmarx, IBM AppScan. It really was between HPE Fortify, most of the time, and Veracode. I typically like Veracode because it is a SaaS solution. You have other providers now that do the same SaaS but then it goes back to the relationship and the partnership. I feel that I have that with Veracode.

I would give Veracode a nine out of 10 because it scales incredibly well, they have very qualified people working there who are able to clearly articulate what the problems are when they are talking in a remediation or consultation call. They are very knowledgeable, they are not condescending when they talk to a developer. The tool is very easy to consume. It's not like looking at a menu with 20 pages at a restaurant, it's very simple to digest. They have a lot of API connectors, they cover a lot of languages and it just scales. You can't beat that. Finally, the relationship is great with them.

The primary use is as a static analysis tool. But we also use Greenlight and dynamic, and we're currently having a manual penetration test.

Firstly, it prevents me from putting out software that has security vulnerabilities, which is a big thing and can be one of the most important things. 

Also, we just finished a vendor due diligence with a very large company that wants to do business with us, and one of their security questions was "Do you do static analysis?" I was able to just send a very professionally done report. They know Veracode and they said, "Okay, great. This is terrific." 

That very reason is why, three years ago when I first got to this company, I said, "We have to get hooked up with Veracode right away, so it's not like an afterthought." Because I'd been in a situation where you do it after the fact and you end up with 3,000 errors, medium to critical errors.

It helps us put out better software more quickly, and gives me the piece of mind that we've done everything we can to prevent any security exploits.

It's something that our customers don't think about, and the benefit would be that as long as there are no data breaches, there's no hacking within our system, they get a non-functional benefit. We work with pharmacies and they just expect that the system is secure. I would view that as a benefit to them - maybe something that they don't think about - but nonetheless, it's there. 

Certainly it eases integration into our workflow. Veracode is part of our Jenkins build, so whenever we build our software, Jenkins will automatically submit the code bundle over to Veracode, which automatically kicks off the static analysis. It sends an email when it's done, and we look at the report.

Once it's set up - and it's pretty easy to set up - it pretty much just works and I don't really have to think about it, outside of whenever I get my emails to look at the reports.

It was a very easy integration that we did within the first week of going live with the software.

So ease of use, ease of integration.

The Web portal, at times, is not necessarily intuitive. I can get around when I want to but there are times when I have to email my account manager on: "Hey, where do I find this report?" Or "How do I do this?" They always respond with, "Here's how you do it." But that points to a somewhat non-intuitive portal. 

With that said, I hate when companies redo their portals all the time. So it's kind of a catch-22, but that would be my only critique.

It's always been pretty rock solid. 

No scalability issues that I'm aware of. 

Exceptional.

Veracode was really my first introduction to static code analysis. The way I came across it in my previous company was, they were going through security due diligence and we didn't have any code analysis software. The company, a very large health plan, said, "Here are three that we recommend." Veracode happened to have been one of them, along with HPE and another company, maybe it was IBM, I don't know. We took a look at all of them and we made a decision to go with Veracode.

It was easy. It's very straightforward. There's nothing complicated about it.

I haven't really thought about cost savings related to code fixes, since we implemented Veracode, other than: It's always easier and much cheaper to catch errors and fix them before you go to production, versus catching them while in production. Just like it's much easier to fix things before production, as opposed to having somebody hack your system and to find out that you have a cross-site script error.

But again, I've never quantified it in terms of whether it's saved me money. 

Just off the cuff, the cost of the license is small in comparison to the value it brings. I don't have to buy the software myself, I don't have to have specially trained security professionals that monitor this stuff. But I haven't really broken it down to quantify it into dollars, as such.

I think it's a great value. It's at a price point that a small company like mine can afford to use versus, if it was too exorbitant, I wouldn't be able to use this product.

About licensing, just go ahead and get them.

Get a license at the beginning of a project. Don't wait until the end, because you want to use the product throughout the entire software development lifecycle, not just at the end. You could be surprised, and not in a positive way, with all the vulnerabilities there are in your code.

When I was at the last company, I looked at HPE (now Micro Focus) Fortify vs Veracode and maybe IBM had a product, but they were overly complex and overly expensive. I remember talking to our Veracode account rep, who also was my account rep originally here at Focus Script, and she did a fabulous job of explaining it, doing a demo, showing how easy it was to use, and that's what sold me. Again, it was recommended from a very large health plan as one of the more reputable systems out there.

CA Veracode provides application security (AppSec) best practices and guidance to our teams in a couple ways. First of all, they have an e-learning module that has courses that we have required our developers to take. That's a best practice.

Secondly, when we do have errors, Veracode is always available, their consultants, to help us either mitigate the error, or provide technical assistance on pointing exactly where the problem is and how we could probably fix it. I'm always amazed at how knowledgeable they are. 

They also have what's called a Software Composition Analysis that can point out errors and fixes for third-party software frameworks, which is very nice. The list goes on... And again, having received, early on, education from them on how best to integrate this in the workflow, those are areas where we've relied on best practices from Veracode.

I'm in healthcare, and it's very important - and I'm sure in other industries just as well - but the stakes are very high. If we get hacked, if there's a data breach, it could put us out of business. It's a very good price point for a small company to have these kinds of capabilities, something we can afford for our application.

I am very likely to recommend it to colleagues. As I mentioned, I brought it to this company, and I've already recommended and provided references to a few other companies over the last couple of years.

My use case for Veracode is for a front-end application, specifically an agent compensation calculation engine. That application is deployed through an EAR file, and then Veracode scans the EAR file and gives me the scan report to help me change and improve the file for future deployments.

What I found most valuable in Veracode is that it gives me a part-by-part report of the entire EAR file and lets me set up the application for a limited time. For example, I'm running an application via the dev ops pipeline. Hence, I need to create a pipeline application and a sandbox to connect with Veracode and then add my application. When you create a sandbox, you can create it full-time or for a limited time, so I created it for a limited time. Once that expires, Veracode allows you to automatically renew it, which is one of the features I find remarkable in Veracode.

I also like that for each integration in Veracode, there's documentation.

I also find the Veracode support team extraordinary because the team goes above and beyond to ensure you get the best experience.

I find Veracode essential in preventing vulnerable code from going into production because if there's a vulnerability, the solution finds it. For example, my code has many JavaScript front-end and EAR files with some vulnerabilities. Right now, I'm deploying my code, but in the future, I may have to improve it and change it to ensure the servers are secure, so in that way, Veracode becomes more important for the industry today.

Policy reporting in Veracode is good in terms of ensuring compliance with industry standards and regulations. I like that the solution is more flexible when working with applications, mainly because my organization has a good firewall. Veracode is flexible and allows the organization to connect to the firewall in various ways. The Veracode policy is flexible and has an entire page and record that connects with my application, industry, company, and server in different ways. It does not disturb my policies so that I can get my application to work.

The false positive rate for Veracode is about seventy-thirty because it gives the most accurate report. For example, my organization depends on the Veracode analysis to ensure the code is on point, so the organization is building the next BI based on the Veracode analysis.

Veracode has also helped my organization save time because, without the report, the development team would spend a lot of time figuring out what is wrong and why the application is vulnerable. Veracode points out what is happening and why the file size must be reduced, so it helps reduce mistakes in terms of time.

An area for improvement I found in Veracode is the connectivity because currently, my company uses a plugin for the dev-ops cloud-based connectivity. A pretty helpful feature would be if Veracode gives a direct code for connecting to the Oracle server directly and authenticating it via a unique server. Currently, my organization has to find a roundabout for that and then needs to build a separate pipeline and then connect that pipeline for Veracode to start.

I've been using Veracode for the past two months.

Veracode has always been stable. It has good stability.

I found Veracode scalable because it supports a variety of platforms. Though the support for other platforms is less, Veracode has been incorporating more support over time and offering other solutions as well.

If you're unable to set up the solution, the Veracode team has a consultation call to help you set up the solution. The team would even raise set-up-related issues with the Veracode engineering team, which was how I reached Veracode Technical Support, which was a good experience.

I found Veracode Support extraordinary. I've been having an issue for the past month, and the team reached out to me and has been working with me for the past month, giving me various solutions to figure out how to solve the issue. It turns out it was a firewall issue, and I just had to go to the back-end and allow the back-end application, and now it is working fine.

The Veracode Support team was helpful and escalated my situation from level one to level two to level three, and finally, had the appropriate team reach out to me based on my issue. Then, within the span of two weeks, the team finally figured out the issue I was facing and gave me the final results and how I could fix it, so I found support good, fast, and responsive.

Overall, I had a pleasant experience with Veracode Support, so I rate support as eight out of ten.

Positive

I didn't use a previous solution before Veracode.

I wasn't involved in the initial deployment of Veracode.

I have no information on the pricing or licensing cost for Veracode.

I've not used the Software Bill of Materials in Veracode.

I'm unsure how the false positive rate affects developer confidence in Veracode on fixing vulnerabilities because I'm more of a DevOps user and don't work on development but automation.

I'm also unsure of the effect of Veracode on my organization's ability to fix flaws because I've not used it directly to fix any flaws. I report to the dev team, who then takes the report and fixes the flaws accordingly.

I'm unsure of the impact Veracode had on the overall security posture of my organization, as I didn't use it for that.

In my organization, Veracode has a hybrid cloud deployment.

The solution doesn't require any maintenance.

My rating for Veracode, overall, is eight out of ten.

What I'd tell others looking into buying the solution is that as far as DevOps is concerned, Veracode is a must-have. It's been helpful for my organization DevOps-wise, though I have no information on other Veracode offerings. I recommend that others buy Veracode.

My organization has a business relationship with Veracode. It's a Veracode partner.

We are a software company providing software to paper manufacturing organizations, and we have an extensive ERP product along with many add-on products.

With the need to increase security awareness and vulnerabilities, we decided that we needed to scan our software, so that was how we started using Veracode.

We found Veracode eye-opening because we had many third-party libraries in our application, and we found vulnerabilities and had to upgrade those libraries or seek alternatives.

Our use cases for Veracode were to make our software more secure and provide a better competitive advantage over our competitors by telling our clients that we have secure software.

What we found most valuable in Veracode is the ability to do automatic scans of our software. We've incorporated the solution into our SDLC process, so we take our builds before they get released and put them through scans to ensure any new vulnerabilities haven't occurred.

We found Veracode good at preventing vulnerable code from going into production.

We also use the Software Bill of Materials (SBOM) as we run many applications through Veracode. We use SBOM to discover all the different vulnerabilities and what that stack looks like.

We also found Veracode very good in helping us manage risks, such as supply chain, licensing, and security. The solution allows us to see where the risks are and if updates are available and identify how to remediate our software quickly.

Our company also found it moderately easy to use Veracode when creating a report via the Software Bill of Materials. There may be a bit of a learning curve, but once users have done it, they'll run the same report.

As for policy reporting in Veracode to ensure compliance with industry standards and regulations, we have not used the solution that way. Instead, we rely on the different statuses to achieve the levels we want to achieve and be able to use that on marketing material.

Veracode offers visibility into the application status at every development phase throughout the software development life cycle, but we have not implemented that. That feature is built into the development tool, so developers will get alerts as they code, but we plan to do that in the coming year.

We found a moderate false positive rate in Veracode. There were a few false positives. Veracode can identify vulnerabilities, which we found nice. We could flag false positives on Veracode so they don't continue to pop up and hunt them down, and the solution will ignore those in the future.

The false positive rate in Veracode doesn't affect developer confidence in the solution when fixing vulnerabilities because we realized that our application is huge. False positives will happen in large applications just because of the different ways of implementation and features. No toolset can handle all those different features and interactions, so we can't say they relate to vulnerability.

Veracode dramatically impacted our company's ability to have security awareness and achieve a level of confidence that we can put out to the marketplace.

We also saw how Veracode affected our company's overall security posture, explicitly being able to put the solution into automatic scanning mode, then through our SDLC cycles, and achieve a Veracode-verified status. We can use that as a marketing advantage and say that we've achieved Veracode-verified status with one of the leading vendors of security scanning software. We've reached a level of status with them, and we continually scan our software so our clients can be confident that our software has been scanned for security files before implementing a new software release.

An area for improvement in Veracode is the time that it takes to scan large projects, as that makes it difficult to fit into our CI/CD pipelines.

One of our app scans times out after two hours, which requires uploading and scanning that particular application manually. Still, there's no visibility into the CI system with the vulnerabilities found. My company cannot incorporate that into the automatic cycle and has to scan manually, so Veracode could improve on that.

I've been using Veracode for about two years.

Veracode is very stable. I have no concerns with its stability.

Veracode is very scalable from the perspective of ERP applications, though we aren't sure if other clients have applications larger than ours. For reference, we have five million lines of code in our application.

I've contacted the Veracode technical support team and found the support responsive. The team also got back to me quickly. I didn't find any issues with Veracode support.

I would rate technical support as eight, just because you still need to do manual scans, as Veracode still has not addressed that issue.

Positive

We used a product called Mend.io, formerly WhiteSource, before Veracode to look at vulnerabilities.

I was part of the initial deployment of Veracode, and it was straightforward because Veracode had excellent training programs and onboarding procedures. The Veracode team also helped along the way and was very supportive in answering questions and keeping my team plugged into any new offerings.

We implemented Veracode in-house with only three people involved.

I found Veracode very expensive, though I'm not the person paying for it. I was surprised to find out how much the subscription costs and that the executive board approved it, but it was a no-brainer because now my company has better security scans.

What I can tell others looking into Veracode but concerned about its price is that the price or cost is justified. After all, you can tell potential clients that your software is better than competitor software because you're scanning it and Veracode-verified.

The verification levels of Veracode are essential because you can use Veracode to start climbing up the ladder to say that your software's even more secure than anybody else because it achieved this level of verification.

In terms of Veracode reducing the cost of DevSecOps in our company, we find that tough to determine because we never had a real concentration on DevSecOps before Veracode. It was forced on us by the fact that the industry was becoming more vulnerable, so now we are experiencing an increase in price in DevSecOps because we're paying attention to it now. We used to skate by and weren't affected by vulnerabilities. Still, because the industry had more vulnerabilities, our customers asked if we were scanning our software, so we had to find a solution and add DevSecOps to address industry needs.

I did a Gartner search on the top three solutions and looked at their reviews, and Veracode came out to be the leader, so I just went with the leader from a partner perspective.

My company has a hybrid Veracode deployment. It's a cloud-based solution, so it's tied to the company's automatic build cycles, where you can access and do scans through the cloud.

Veracode doesn't require maintenance. The only maintenance my company performs is fixing vulnerabilities found by Veracode.

Overall, my rating for Veracode is seven out of ten.

I advise others looking to evaluate Veracode to utilize the presales marketing side first. For example, my company was able to utilize Veracode in a presales environment and do the scans to find out how vulnerable my company's software is and compare Veracode with the previous tool, WhiteSource. My company found additional vulnerabilities and was able to do that before signing the contract. It may be best to do a test run of Veracode to find out what the tool is all about and how it looks to your company.

We use Veracode for static web application scanning, and we've been using Vericode for our ethical hackers as well.

We have a dev, UAT, and staging environment. Veracode is included as a part of our DevSecOps in the staging environment. That means that when code is promoted to our staging environment, it automatically initiates a Veracode scan on our application.

The output and the recommendations given by Veracode are very useful. We are able to mitigate some of the vulnerabilities that the tool shows us. We are maintaining very clean applications with the help of the scanning we do with Veracode.

If any critical or high-risk vulnerabilities are detected in our code, we don't move it to production until we get a clean report. While we allow moderate and low-risk findings, we stop if it's critical or high. We do a scan on our staging whenever new code is promoted. Effectively, Veracode helps us to prevent moving the code to production if we detect any abnormalities.

Our application is an external-facing application and that means we have to proceed with the utmost caution when we promote code. Veracode has certainly been very helpful in giving us more accurate results and ensuring that our application does not have any vulnerabilities.

Veracode keeps developers aware of the possibility that issues will be identified. Once a vulnerability is detected, developers are careful to abide by the recommendations given by Veracode the next they are involved in new development. That's a positive regarding the solution. It helps improve the development process. We also share findings with the other development teams, so that they don't make the same mistake. We document the best practices so that the same flaws are not detected again. To that extent, our developers' time is optimally utilized.

Ours is a Java-based application and Veracode can detect vulnerabilities in both Angular, which is used for the UI, and also in the backend code, which includes APIs and microservices. That's one good aspect and something where other applications have a lower rating. Veracode gives us wholesome insights into the vulnerabilities in the application, both in the UI and in the backend.

Also, the false positive rate is good. I don't have any qualms about using Veracode.

The scanning on the UI portion of our applications is straightforward, but folks were having challenges with scans that involved microservices. They had to rope in an expert to have it sorted. In addition, one of my developers told me that they looked at the documentation that was given but still required the involvement of an expert to get the issue fixed. I would like the documentation to be a little more user-friendly.

Also, the turnaround times could be improved. From what I've heard, the scanning takes a bit of time to complete. If it could be completed a little more quickly, that would help.

We've been using it for five years.

There have been a couple of instances when the scan stopped or aborted and had to be manually triggered to complete. Other than that, there haven't been any challenges with Veracode

We used to have a tool called CAST, which determined code quality. It wasn't a security tool or scanner.

As an application manager, I certainly find Veracode very useful. It definitely improves the robustness of the application. It detects every single small or large flaw and helps us with the appropriate recommendations. I would go with Veracode unless there is a product that is equally capable but with a lower price.

Right now we have it on-prem but we are moving toward the cloud in the next six months or so. We've started that journey. I don't think there have been any difficulties in maintaining the pipeline. We've never had any challenges since we introduced Veracode as part of our DevSecOps pipeline.

For my application, it has definitely been a great tool. It ensures that your application is devoid of vulnerabilities. Go for it.

We are a relatively young company that started about a decade ago. The company adopted Veracode about five years ago because it's a market leader in that segment. 

Veracode checks for security flaws in our code. We provide software for companies in the financial sector, so it's critical that we use Veracode. There are some lesser-known competitors, but Veracode is the biggest player in security software. In a way, it's good marketing to use Veracode.

We are running it locally, but we plan to move to the cloud in the next few months. We're a small company with 20 employees. Our development team deals primarily with it, and some other support guys are involved occasionally. 

We have been using Veracode for several years. It has become a crucial tool for preventing security flaws in our applications. The quality of our software has improved significantly since we started using Veracode. We have a software development shop and also provide solutions for other companies. It's critical to have our software checked by Veracode.

Our code must be free of security flaws, especially high-level ones. Our software must be above a minimum threshold. Veracode has enabled us to see the quality of our code security. We need at least an 80 percent score. We are sure that our code is high-quality and that our clients won't see security vulnerabilities in the code when we ship it to them.

Veracode covers every phase of development. We mainly use it for static analysis and recently started using it for software composition analysis.

The false positive rate is around 10 percent, which is expected in automated software. Veracode's competitors have false positives, but we're happy with Veracode's ability to mitigate the problem. We check every false positive and clear it. It does not affect our competence at all. We realize it will happen from time to time. The effect of false positives is negligible. We don't have a problem with that. We are experienced enough now to see what is or isn't. 

I like Veracode's integration with our CI/CD. It automatically scans our code when we do the build. It can also detect any security flaws in our third-party libraries. Veracode is good at pinpointing the sections of code that have vulnerabilities. 

We are testing Veracode's software composition analysis, but we're having trouble integrating it with SVN. It works out of the box when you use Git but doesn't work as well with other tools like SVN. It's more geared toward Git.

I have been using Veracode for two years in my current role.

Veracode's stability is decent. That was only one instance where it identified a security flaw but didn't detect it afterward. Otherwise, it's mostly consistent.

We use it on a couple of different projects, and we plan to move to the cloud. They have a cloud option that makes it scalable.

I rate Veracode support nine out of 10 in its current state, but given our problems in the past, I might rate it seven overall. We had some problems when I joined. They put in a lot of effort, but it took them a couple of months to get it right. They did their best to resolve it, so I appreciate that, but we weren't happy it took so long.

Positive

We don't see a direct return from using Veracode, but it ensures we deliver a product without security faults. It has also reduced our development costs, but it's difficult to quantify that. By having the code tested before we ship it to clients, we ensure our clients don't have issues with the security of our software. 

The price is reasonable and affordable for a small company like ours. Veracode provides a lot of features. You can purchase some additional tools. For example, we are currently testing software composition analysis. We discussed adding that to our standard package.  

I rate Veracode eight out of 10. I recommend first testing it on your code to see if it's appropriate. You need to see how long it takes to scan the code.