Veracode Reviews

We are a relatively young company that started about a decade ago. The company adopted Veracode about five years ago because it's a market leader in that segment. 

Veracode checks for security flaws in our code. We provide software for companies in the financial sector, so it's critical that we use Veracode. There are some lesser-known competitors, but Veracode is the biggest player in security software. In a way, it's good marketing to use Veracode.

We are running it locally, but we plan to move to the cloud in the next few months. We're a small company with 20 employees. Our development team deals primarily with it, and some other support guys are involved occasionally. 

We have been using Veracode for several years. It has become a crucial tool for preventing security flaws in our applications. The quality of our software has improved significantly since we started using Veracode. We have a software development shop and also provide solutions for other companies. It's critical to have our software checked by Veracode.

Our code must be free of security flaws, especially high-level ones. Our software must be above a minimum threshold. Veracode has enabled us to see the quality of our code security. We need at least an 80 percent score. We are sure that our code is high-quality and that our clients won't see security vulnerabilities in the code when we ship it to them.

Veracode covers every phase of development. We mainly use it for static analysis and recently started using it for software composition analysis.

The false positive rate is around 10 percent, which is expected in automated software. Veracode's competitors have false positives, but we're happy with Veracode's ability to mitigate the problem. We check every false positive and clear it. It does not affect our competence at all. We realize it will happen from time to time. The effect of false positives is negligible. We don't have a problem with that. We are experienced enough now to see what is or isn't. 

I like Veracode's integration with our CI/CD. It automatically scans our code when we do the build. It can also detect any security flaws in our third-party libraries. Veracode is good at pinpointing the sections of code that have vulnerabilities. 

We are testing Veracode's software composition analysis, but we're having trouble integrating it with SVN. It works out of the box when you use Git but doesn't work as well with other tools like SVN. It's more geared toward Git.

I have been using Veracode for two years in my current role.

Veracode's stability is decent. That was only one instance where it identified a security flaw but didn't detect it afterward. Otherwise, it's mostly consistent.

We use it on a couple of different projects, and we plan to move to the cloud. They have a cloud option that makes it scalable.

I rate Veracode support nine out of 10 in its current state, but given our problems in the past, I might rate it seven overall. We had some problems when I joined. They put in a lot of effort, but it took them a couple of months to get it right. They did their best to resolve it, so I appreciate that, but we weren't happy it took so long.

We don't see a direct return from using Veracode, but it ensures we deliver a product without security faults. It has also reduced our development costs, but it's difficult to quantify that. By having the code tested before we ship it to clients, we ensure our clients don't have issues with the security of our software. 

The price is reasonable and affordable for a small company like ours. Veracode provides a lot of features. You can purchase some additional tools. For example, we are currently testing software composition analysis. We discussed adding that to our standard package.  

I rate Veracode eight out of 10. I recommend first testing it on your code to see if it's appropriate. You need to see how long it takes to scan the code. 

Our primary use case for Veracode is SAST and SCA in our SDLC pipelines. We also use it for DAST on a periodic basis and time-based scans on our staging system. We use the trading modules for certifying all our developers annually.

In addition, we use Veracode to scan within our build's pipeline. We do use Greenlight, which is their IDE solution for prevention of issues of vulnerabilities.

We are FedRAMP certified as a company, so we use this as part of our certification process for Veracode ISO 27001 and various other certifications we have.

There is a tight integration of Veracode with JIRA. We use JIRA for nearly all of our issue tracking.

This integration provides a way to link all of the vulnerabilities discovered to our backlogs and active scrum queues, so that there's high visibility within teams for any of the issues that are related to their teams.

I think the most valuable to us is the policy management, which enables us to create different kinds of policies for different kinds of applications. Veracode policy management also allows us to plan for, track against, and report on our compliance with those different policies.

I think the biggest room for improvement is around known or accepted vulnerabilities that, when we re-scan, we want those things to be recognized as already accepted, as an exception. Sometimes they show up as something new and we have to go back and re-accept that as an accepted exception in order to bring our numbers back into compliance. I think if they could improve the operations around accepted vulnerabilities, we would see improvements in our productivity.

I would also like to see more executive reporting. Having a good snapshot of how well we're tracking, where each of the teams that own the applications, how they're doing, and where their gaps are would be good. Currently, the reporting is geared towards tracking current vulnerabilities. Even though they have trending, the trending doesn't necessarily evaluate the teams and how well they're doing. I would also like to be more oriented towards teams.

Overall, I would give Veracode a nine out of 10.

The company's been using Veracode for five years. I've been using it for four years.

Veracode is stable in my opinion. We've had very little interruption that was unplanned.

We have not run into an issue with scalability yet. Veracode was built based on application counts and not users, which is what a lot of the competitors do.

We have some 300 people using Veracode. Some are executives while others are engineers actively working in Veracode. 

Veracode's technical support is great. They assigned us a TAM and once a week, we have a brief engagement with the TAM to verify that everything's going well. If we have any outstanding issues, they get serviced and addressed.

Positive

We have used Veracode the entire time I have been with this organization. However, I know that they used Coverity and WhiteSource prior to switching to Veracode. The main reason my organization chose Veracode is its comprehensive dashboard. 

Our deployment took a while so I would say the initial setup was moderately complicated. We gradually moved into the pattern we are in today and displaced some other vendors along the way. So it was a slow ramp for us because of our business needs.

We were up and running and operational within a couple of months. And then, over time, we broadened our footprint with Veracode.

We deployed Veracode in-house. 

Our biggest return on investment is maintaining certifications that enable us to attract customers of larger scale and government-sensitive customers.

Going back to the cost structure, I think that the way Veracode is priced and their comparison to third parties, I still put them at four out of five.

Veracode recently introduced some pricing based on microservices. This model gives us a lot of flexibility in being able to add and remove microservices and scale them that way.

The pricing is solid. I think with the current consolidated pricing that we have is pretty consistent every year.

All of the Veracode applications operate as one platform. Most of the competitors out there separate their products from their reporting and configuration, so you don't get a single pane of glass. With Veracode, you get a single pane of glass and reporting that you can combine with the different scan types to look at compliance.

The advice I would give regarding this solution is this: Look at the policies, the dashboards, and integration with ALM applications like Veracode and JIRA. They have a tighter integration there that I see with most of the competitors.

I'm sure that the scan quality is consistent. Perhaps there's some applications that are a little better than others at detection. But we find that Veracode is very comparative to other things you solutions the quality of catching vulnerabilities.

Manual Penetration Testing is a security tool for static code scanning. It's still in testing, so the client has it in their commercial cloud. As soon as it's federally approved, they'll move it to the government cloud. That's supposed to happen any day now. I think their government cloud is AWS. I believe they're looking at the dynamic piece as well.

I don't have much experience with the solution yet. We're looking at integrating Manual Penetration Testing with JIRA and Bamboo and then building that into a CICD model, so the integration is the most valuable feature so far.

We're still trying to get things operationalized, piloted, and tested. I haven't heard about any problems so far. However, it would be great if Veracode automatically packaged stuff up for you. 

For example, it would be nice if the solution used AI or machine learning to detect what your code was by doing. It could perform the review and decide how to package up the software. You could run it and wouldn't need as much developer involvement.

We've had Veracode in place for about three or four months now.

I haven't heard anything negative about Veracode's performance, and we've had a hundred people test it at one time. We may get to a point where see some degradation, but we haven't yet. 

Manual Penetration Testing looks relatively scalable. We won't know those things until we get a critical mass of people testing all at the same time. We have around four teams that are scanning continuously, or on a fairly regular basis at this point. So.

I'm happy with Veracode's support. We're getting the help we need. I meet with them weekly, and they answer our questions.

We haven't worked with something like this before. This is the first time the organization has picked up this type of scanning solution.

Setting up Manual Penetration Testing wasn't complex. None of these solutions are complicated. You get it, set it up, and run it. It has been deployed. They're already scanning, and more developers are being onboarded. 

We followed the implementation strategy provided by Veracode. One person is probably enough to onboard people and set them up. We need one person to concentrate on the strategy and ensure the systems are set up correctly.

We deployed Manual Penetration Testing ourselves, but we have an arrangement with Veracode to provide the necessary professional services to support us. Consulting is part of the package they provide.

We used it to scan and detected a vulnerability, and they're trying to use it to identify how to fix the problem. That's the only example of an ROI we've got so far. 

I'm not familiar with the costs, but I believe it's around half a million. I'm not sure how it compares to the other solutions, but I assume they're all in the same ballpark. HCL might have been a little less expensive.

I think someone at my company was looking at SonarQube, but whoever did that didn't go forward with a commercial version. I don't know how it would've worked out, and I didn't look at it. There was a community version someone had for years, but it never got the traction. 

Then I looked at HCL, Synopsis, and Cast. Cast is deep but highly expensive. Those were the Cadillac solutions. We went with the SaaS because they did not have anything that was on-premThey wanted something that would be in the gov cloud that we fed ramped and low maintenance on our side. 

I rate Veracode Manual Penetration Testing nine out of 10 for support and ease of setup. If you're considering this solution, I suggest trying it out and taking the opportunity to learn and teach yourself. Take some classes or online training. I found the solution pretty straightforward, and I'm not terribly technical. 

We are using it for two purposes. The first is to analyze the final binaries in our normal development cycle and the second is for auditing old software.

It's a SaaS solution.

Veracode is able to analyze the final software products. We compile the applications and it's an advantage for us because there are a lot of areas where we don't have the source code. In some companies, only internal development is taking place and they have the source code and everything else for the software. With those companies, there are other tools that we can use. But for use cases where our company buys a product with the source code, but only the final executables or the binaries, only Veracode is able to work on that type of tool. We are working in the financial sector for big bank banks and insurance companies. A lot of times, these types of companies don't have the source code for the applications, only the final applications. This is the biggest advantage of Veracode, that it's able to analyze these types of applications.

We use the scanning process to help our security professionals and developers fix flaws in the code and that helps speed up the development cycle. It helps to "shift-left" all of the security control to the earliest phase of the development cycle. It has sped up the development cycle significantly. An unexpected vulnerability can stop the development pipeline, at least for a little while, and we are able to avoid that.

It has also helped to increase our fix rate by almost 100 percent. In the past, if it turned out that we had vulnerabilities, we had no time to correct them. We went into production with them. Now, we are able to fix everything, 100 percent, in the development cycle.

In terms of best practices, we have the results from Veracode and then we have a Knowledge Base of the types of vulnerabilities and how they should be corrected by our developers.

Another benefit is that it has helped us with certification and audits. We have a lot of automated reports based on the scans and we can show them to the auditors. That has saved us a lot of money and work.

And Veracode SCA has helped to reduce the risk of a security breach because it finds vulnerabilities as early as possible. It has increased our security and development teams’ productivity because, with the automated scanning, we are able to scan much more than previously. It saves us at least one week per development cycle, if not more.

The recommendations from Veracode have improved our efforts in fixing potential vulnerabilities, and not just finding them. That's important for us because fixing is a very expensive process. If you can save time on that, it is a big help. And SCA’s automated, peer, and expert advice have definitely reduced remediation times, saving us at least a week per development cycle.

Overall, SCA has significantly lowered the risk of vulnerabilities. If we didn't identify them before production, and it turned out that there were vulnerabilities, there would be a big risk. We would have to go into production with them or stop the development pipeline. So it lowers the security risk significantly by doing early scanning. It has reduced our risk by at least 60 percent. It definitely helps create secure software. That is 100 percent important because we are working for financial companies.

It's good that it's cloud-based because we don't have to operate a new IT system for security scanning.

It provides a centralized view across all testing types, including SaaS, DAST, SCA, and manual penetration testing. We now have a central place with overall visibility.

In addition, the mitigation recommendations provided by the scanning engine are good. They are not all perfect, but they are good and usable.

There is room for improvement in the speed of the system. Sometimes, the servers are very busy and slow. Also, because we are located in Europe, it would be a big help if they had a European or national service, because of the regulations, not only because of the speed.

Also, the integration with SonarQube is very weak, so we had to implement a custom solution to extend it.

We have been using Veracode Software Composition Analysis for more than two years.

The stability is good. We haven't had any problems.

The scalability issue is a good question because it's not too fast, but it's scalable because it's cloud-based.

We use it for 10 critical applications.

Their technical support staff is skilled. We have been able to solve all of our problems with them. I wouldn't rate them a 10 because sometimes it's time-consuming to get the right guy to answer our questions. But we always get answers to our questions.

Positive

We used SonarQube because the developers liked it. We also used Checkmarx. We switched to Veracode SCA because of the binary scanning ability. Neither Checkmarx nor SonarQube is able to do that.

The initial setup was very easy. Because it's a cloud-based service, we were able to do it without the help of Veracode. We just read the recommendations and followed them. We had three guys involved, two developers and one security guy.

It took three months to implement. Our implementation strategy was to do a pilot and then everybody in the organization copied the reference implementation.

Our return on investment is due to saving a lot of development hours.

It's too expensive for the European market. That is why, in a big bank with 400 applications, we are able to use it for only 10 of them. But the other solutions are also expensive, so it wasn't a differentiator.

The static cost model is not that important. Veracode works on a subscription model, so we have to pay for it every year. 

We chose Veracode's Software Composition Analysis after we evaluated more than 10 products. Among those we evaluated were Checkmarx, Fortify, and SonarQube. The primary differentiator was the binary scanning use case.

Use Veracode for the special use case of binary scanning, because it is the best in this special use case.

Security Labs is very good as well. We are not using it day-to-day, but it's a good feature.

I'm a security practitioner and I use it for security and vulnerability scanning and assessments.

The main purpose of getting Veracode was to serve as a solution for scanning lines of code which was lacking in the organization. It has improved the quality of code being delivered for test and its vulnerability resolutions timeline has improved.

The static scan module is the most valuable. 

In the next release, I would like a proper way of packaging files for scanning and the packing of IOS apps and API Dynamic scan methodology. 

Also, there seem to be lots of false positives. This can be improved upon. 

I've been using Veracode for about six months.

The solution is stable.

It is scalable.

The technical support has been quite helpful. I had a consultation yesterday and it was straightforward and explanatory. They seem to be okay. The customer rep helped resolve the issues observed. Although there were issues encountered which were not answered, I was referred to the support option on Veracode. 

Positive

I've used quite a few other solutions including SonarQube which is similar to Veracode. The challenge with SonarQube was financial, it charges per line of code while Veracode charges per application.

Initially, the setup was complex for those who had not done solution integration. However, my team was able to pick up after the refresher course. 

We implemented the solution in-house.

We've just concluded the onboarding this year. I can see improvement, but I can't really equate it to a monetary value. This will be determined by the financial team. 

My advice to anyone considering Veracode will be to negotiate with the team directly and define what constitutes an additional application.  

We evaluated other options.

The process of packaging scannable modules is not straightforward. 

Because Veracode is more interactive than Secure Code Warrior, the big benefit for our organization will be that the developers will not just get the blue team excited, but they will learn to think like the red team, like an attacker. The interactive labs will help developers see that some of the red team attack methods aren't that hard to do, and that will bring them more security awareness. 

Because developers will see exactly how you do a certain type of red team attack or exploit, they will understand that it's important that they don't think, "Oh, this could never happen." And when they realize that some of the attack methods are not so hard to implement, they will secure the code base and fix the vulnerabilities that already exist.

For example, when I tried SQL injection labs, I learned new ways to make those, and that is extremely valuable for me because. If I'm working with a code base, I can know exactly how to mitigate SQL injection, because not all systems are using Hibernate. I've been on code reviews where I could actually point out things related to injection, which is something I wouldn't have been able to do without Veracode.

Another big benefit for our organization is that it is more interactive and fun, in a way, than Secure Code Warrior. Developers will engage and spend more time in Veracode.

It has had a good effect on my security posture because the labs are very informative with current information, showing you some of the things that could be done by attackers if your code is done incorrectly. I have retained more useful information in a fast manner.

And if we talk about scanning, we will see advantages there as well. For example, I'm working on a Java project and because Java is a high-level language, it's hard to make code errors. But if I worked with C or C++, the scanner tool would be very good. If you take the OWASP dependency checker, for example, it goes through all the third-party dependencies which are often where the trouble is in a Java project. However, I have heard that you can upload the necessary files and it will go through the third-party components as well and, in that case, it's very beneficial for the organization to have such a tool.

It can be very hard to make a good lab environment with a console with log windows and code bases. What I like about Veracode is that they managed to do that. It has a very responsive graphical user interface and has worked very well. I was very pleased with that.

I like the web interface of the interactive labs and the information there. It's very well done by those who developed it, and it works very well. It's very fun and you get to learn new things and think like an attacker. It's not like on TryHackMe, but the information I got from doing the labs here was information that I didn't have before. The quality of the information was really good.

When I started to use Veracode, there were a lot of policy documents and I actually have a habit of always reading those. I haven't made a list of all the regulations and policies and how well it complies with all the security regulations, but from what I could see, it is aligned with security regulations and certifications. And in the lab environment, they have divided things into different topics like OWASP top-10. That is very actual and follows the security guidelines that are commonly accepted by organizations today.

I would like to see more AI features. It's a current subject because with ChatGPT and other solutions being developed all the time, IT attacks will increase. I actually talked to the CEO of an IT security company in the United States because he ranked the top-10 IT security risks this year, and one of the biggest risks was new vulnerabilities or attacks would occur because of ChatGPT and similar services. To defend against those it's very important that the good guys use AI in ways that are good instead of bad.

I have been using Veracode for about two weeks. I recently got access to Veracode to test it. I've been spending a lot of time on it, working with it in the lab environment. I have also tried out the scanning tools for code bases, but I mostly have experience working with it in the lab environment.

I haven't used it for very long, but I have never experienced any problems with the stability.

We are an enterprise-size company and I know that our security employees are using Veracode and some of the developers as well, but I don't know to what extent developers are using it. It's pretty widely used across our organization.

I give their technical support a very high grade. I was in contact with them with an inquiry I had, and there was a very fast response time. They took my request and prioritized it. They were nice as well, and that's how you want support to be, although not every support team is like that.

Positive

I was previously working with Secure Code Warrior which is very different, but it's within the security field.

I've been using the security platform TryHackMe a lot, which also has a web console, but I wouldn't pay for the kind of console window that TryHackMe had. It has a lot of good aspects, so no disrespect to them; I learned a lot from it. But I understand how hard it is to create that and Veracode has managed to do so in a responsive way that works well. It's very impressive.

Scanning tools are a big safeguard for getting vulnerable code out of production. It's almost mandatory today to scan applications because there are so many attacks happening in the world right now, no matter which solution you use.

I was very pleased when I tried Veracode because I hadn't heard about it before, but it was much better than I thought.

We use Veracode for security scanning purposes, and our security services team has developed the logic. We create the pipeline and run the Veracode scan for particular microservices. My role is to run the Veracode pipeline and to see all the detailed reports. Once the scan is complete, I download the Veracode report and share it with developers.

We have multiple environments, and all entities use the solution. We have approximately 1000 users.

The best feature is definitely the detailed reports. It provides code-related queries in the order of high, medium, and low depending on what we need to do. Veracode is user-friendly as well.

It provides all the details to prevent vulnerable code from going into production. The Veracode scanning report shows where we need to create security and how to encrypt usernames, passwords, or other details. It's very helpful from an application security perspective.

With this solution, we have visibility into application status at every phase of development including static analysis, dynamic analysis, software composition analysis, and manual penetration test throughout our SDLC. It is helpful for our DevSecOps processes because we get all the details before going into production. We can then talk with the design team and developers to fix any issues before going live.

Veracode helped to improve our ability to fix flaws.

It also saved our developers' time by 50% to 60%. Before going live, we always integrate Veracode with our application's bill pipeline. Instead of resolving issues once it is live, we can fix them beforehand.

Searching for applications in Veracode is a little bit difficult. We have to minimize the length of an application's name to 47 characters. It would be good if this limit could be increased so that an application's name can be properly reflected in Veracode.

My organization has been using Veracode for four years, and I've been working with it for two years.

Veracode is a stable solution.

It is a scalable solution.

Veracode's technical support is good, and I'd rate them a nine on a scale from one to ten.

Positive

Overall, I'd give Veracode an eight out of ten.

I am a software engineer, and one of my clients needed Veracode for security requirements. We needed to send the code through some security tools to see if there are breaches or malicious code that could attack the company. In this case, the client used Veracode to scan third-party libraries from our application. Veracode was running on a private cloud using Azure. 

Veracode helped us prevent possible security breaches. The team can anticipate and correct issues earlier instead of waiting for someone to find the issue or discover it when your application is attacked. 

The report is good because it has lots of security information. It isn't related to the code itself, like the line of the code or the connected library that contains an issue. It's sometimes difficult to figure out how to solve that.

Veracode saves time in the development process because we can anticipate security issues in an application. On the other hand, from a software development perspective, it could be a technical increase in depth. After we develop a feature in the application and run Veracode, we might find some security issues we need to fix. 

For example, we spent a month building a feature on an application, but during this month, Veracode found a security issue in the third-party library we were using and reported it. If we had found the issue mid-development, we would need to rebuild the solution. Sometimes, it might increase the technical depth of the application because this type of security flaw was not found previously in our daily work. 

Veracode creates a list of issues. You can go through them one by one and click through to a new window with all the information about the issue discovered.

We waste a lot of time figuring out which results are false positives, and it has affected our trust in the tool. After we've spent time training and setting up the tool correctly, we need to scan our code and remove all the false positives. Finally, it's good enough to identify our security issues.

We get some false positives with JavaScript languages like React, TypeScript, and Angular. The problem is rooted in the build process of JavaScript, not the code we are using. This is something we spend lots of time trying to resolve. When we point to a specific library and review that on the code, we can see it is a part of the build that isn't going into production. It's only a part of the build because JavaScript has a different build process. 

This hasn't happened in .NET or C# because we use can all the libraries used when coding. In JavaScript, it's tough, and we spend tons of time trying to find the issue. However, it's not a problem because it's a pre-compiled language. This isn't unique to Veracode. Black Duck does the same thing.

Maybe Veracode could automatically detect the language type first and improve the way it scans JavaScript to reduce the false positive rate for this specific language. Also, in the reporting area, it could connect to the source code Veracode uses for the third-party library.

When Veracode finds security issues, it creates a report with the number and description of the issues. Sometimes, we are not able to connect that issue with the third-party library containing the code and applications the developers are building. The relationship between the flaw in the code and the third-party library could be more apparent because developers may not realize that the root cause is the library, not the code itself. 

The compliance features are good, but it's pretty picky in terms of what it considers a security issue. I and the other developers struggle to understand what is flagged as a security vulnerability. If you can see a security issue in there, you can see all the documentation, but it's difficult to relate that to the code to determine why the issue happened. It could be clearer how to find the issue in the structure of the code. 

I'm not using Veracode anymore, but I used it for eight months in the last year. 

Veracode is stable overall. When we start the process on the Veracode side, the report generates in less than a minute, and we can see the issues. I don't have any problems with stability.

I used a tool called Black Duck when I worked for another company two years ago. The client chose to use Veracode. It wasn't my option. 

We put Veracode in our pipeline, so the process runs automatically during development. It isn't something we can run manually. There are scripts that run when we start. There isn't any maintenance on the developer side. A designated team takes care of all this.

I don't think we've seen a return on this, but it's hard to calculate because you have to estimate the value of a breach that hasn't happened. This is the main benefit of using this tool. I don't know how to measure that.

I rate Veracode eight out of 10. It can help you improve your security by identifying and preventing issues faster. At the same time, you should know that using Veracode will lengthen the development process because the team needs to check and correct issues. It could increase your development costs. 

Using Veracode has challenged us to be more conscious of security. Sometimes, developers just want to build code. This tool allows you to check if the code or libraries are secure enough to add.