Veracode Reviews

We use Veracode for static and dynamic code analysis, as well as software composition analysis (SCA). Using it ensures that our products are compliant, and it also provides an external method to assure our customers that our products are free from any flaws, or application security issues.

Our product resides on the Azure Cloud, and we have Veracode access it directly.

Using Veracode has helped to improve our organization in that we now have discipline in terms of periodically scanning our systems. We do this every six months, and it is done to meet our compliance requirements.

We are now at the point where it is integrated as part of our software lifecycle automation. I can't point to a particular example of how it has improved our product, although it has helped in terms of validating our product. Also, it has shown us the competency of our teams.

The certification levels are helpful. They are different levels where I think that five is the highest, and we are at level four. Having that badge and showing that we are compliant to that level helps one's reputation in the market.

The interface is easy to use.

The training lab is not very user-friendly and takes a long time to set up. This is an area that should be improved because we've not used it as much as we should have.

We have been using Veracode for more than a year, since January 2021.

This is a pretty stable product. I would rate the stability an eight out of ten.

I can't specifically speak to scalability because we only engage with them for a single product. However, I do think that scaling might be expensive and is probably something that needs to be negotiated.

The Veracode technical support is very good. They are responsive and very knowledgeable. Every time we wanted to set up a meeting, they responded very quickly. In terms of the instructions that they provide, the details are very explicit and although there's a lot to refer to, we can get what we want fast. We don't get lost in what we need to look at.

I would rate the customer support an eight out of ten.

Positive

We did not use another similar solution prior to Veracode.

I was not heavily involved in the initial setup and deployment, although I understand that it was straightforward. We were able to start using it and scanning our code on day one.

It's all on the web, so there is not much to set up. We just have to configure the access so that the web tool can connect, and it takes it from there.

Except for the Lab component, we didn't have to keep contacting our Veracode account manager.

We completed the deployment ourselves.

There were two people involved. The first was our IT person, and the second was a senior member of the engineering team. There is no maintenance required.

It's too early to say whether we have seen ROI because we're marketing our product and services to newer customers. We haven't had visibility from that perspective, yet.

The pricing is a little on the high side but since we combine our product into one suite, it is easy to do and works well for us. It's an expensive product but we are paying for quality.

We evaluated two or three different products before choosing Veracode. 

The reasons that we chose Veracode were their reputation and ease of use. Also, one of the senior people on the team had previous experience with it.

Another point is that their pre-sales team was very professional. Their discussions helped us in terms of getting to what we wanted.

My advice for anybody who is looking into Veracode is that it's one of the very few solutions that can perform dynamic, static, and software composition analysis.

I would rate this solution an eight out of ten.

I use Veracode for static and dynamic analysis.

Veracode supports a broad range of code technologies, and it can analyze large applications. Fortify takes a long time and may not be able to generate the report for larger applications. We don't have these constraints with Veracode.

I've been using Veracode for four or five years.

We have about 230 users. 

We've raised a few tickets with Veracode support. Sometimes, their frontline support can resolve the issue, but we may need to escalate it and get their global team involved. The problem is usually resolved in a couple of days. Overall, support is not a concern. It's fine.

Veracode is an easy-to-use browser-based solution. It isn't a standalone product like Fortify, so there's no installation. You put in the credentials and start the scan. 

While Veracode is way ahead of its competitors on Gartner Magic Quadrant, it's a bit more expensive than Fortify. It's a good solution for the cost, but if we had a high budget, we would go with Checkmarx, which is much better than Veracode. 

Veracode and Micro Focus Fortify SSC are both making progress. Fortify's cloud-on-demand model is an improvement over the past. Both solutions handle the analysis part well, but Fortify needs to improve a lot of things. For one, Micro Focus Fortify hasn't been updated in a long time. They acquired the solution from HP long back, but I haven't seen much improvement. 

Veracode's browser-based solution doesn't have cloud-on-demand functionality. You only need to give consent once on Veracode's access URL, but Micro Focus requires another consent for Dynamic Application testing for WebInspect server, so we need to use SQL Server Express for the WebInspect server. 

We have some difficulties in a SQL Server because a client might not be able to install that in their environment. We may be able to install WebInspect, but we face some challenges dealing with SQL Server Express and other dependents. We have issues with those other supported plugins, libraries, or framework installation parts.

I rate Veracode Static Analysis eight out of 10. I recommend Veracode over Micro Focus. Some companies prefer Micro Focus because they can get a discount and buy it for less than the market price. That's the only reason to use Micro Focus. Otherwise, I don't think Micro Focus can compete with Veracode.

We have a website built on the Microsoft stack, with .NET. Veracode comes in and scans our code and, for the static side of it, we zip up the CS files and the JavaScript files, and upload them for scanning.

It gives us peace of mind regarding what our website's security environment looks like. It provides that quality check to make sure that we have as few vulnerabilities as possible.

The dynamic scanning tool is what I like the best. Compared to other tools that I've used for dynamic scanning, it's much faster and easier to use.

I've seen slightly better static analysis tools from other companies when it comes to speed and ease of use.

Also, with the dynamic tool, sometimes a scan gets stuck and it can be hard to get a hold of the right person in a timely manner to find out why it got stuck and to get it unstuck, or to create a new one.

Overall, speed and customer support could be improved.

I have been using Veracode at my current job for about two years and I used it at my previous job for at least six years or so.

It's very stable. It's very good that way. I haven't run into too many times where their website is down. Usually, it's just for maintenance and they'll let you know ahead of time.

Since it's a cloud offering, we don't have to worry about its scalability.

We don't utilize our current offering to its fullest, so we don't have plans to expand use of it.

Their technical support is pretty good. It depends on who you get. As I mentioned, sometimes it's hard to get an answer from them quickly about why a scan got stuck or what's going on with it. 

Neutral

I've used Checkmarx and IBM AppScan.

I don't know what ROI might be in terms of a dollar amount, but the peace of mind and quality it gives us, making sure we don't get hacked, are types of ROI.

The "gold star" goes to Veracode's dynamic scanning capabilities. I've used other static scanners that may be a little bit better than Veracode, but the dynamic is a lot faster and a lot easier to use. The other ones I have used can be very complex when setting up the scans.

Veracode only has a cloud offering. You upload your binary files for static scanning, or you whitelist your IP and have them come in and scan your website. It doesn't require any maintenance on our end.

Overall, it's really good. It's a lot better than other offerings I've seen. The dynamic scanner works really well. The static scanner is still good, but it could be improved.

We have found the static analysis to be useful in Veracode Static Analysis. However, we are in the process of testing.

Veracode Static Analysis could improve the terminology. For example, I do not know what the sandbox scan does. The terminology and the way they have used it are quite confusing. They should have a process of capturing problems that users are having on their end.

Veracode Static Analysis should adapt and detect the vulnerability which is coming from customers.

I have been using Veracode Static Analysis for one and a half years.

Veracode Static Analysis is a scalable solution.

We have approximately 10 people using this solution in my organization. However, we do not use it daily.

We previously used a free tool that is integrated into the Eclipse.

The initial setup of Veracode Static Analysis is in the middle range of difficulty. We had some minor issues but we had some guidance and support. It took us approximately one month to scan all of the microservices.

Our IT team did the implementation with support from the Veracode team. The Veracode team was very good.

The price of Veracode Static Analysis is on the higher side.

My advice to others would be to follow the instructions and they will not have any issues.

I rate Veracode Static Analysis a seven out of ten.

We use this solution because we have an important portfolio of applications, and before moving those applications to the production environment, we use the static features to scan the code: either for static analysis or for SCA (Software Composition Analysis) to find any vulnerability in our open source libraries.

When I started my job, this solution was already deployed, so I cannot compare it to how our company was prior to its deployment, but Veracode Static Analysis is a very good tool for static analysis and SCA. It not the only one in the market, but I would recommend it.

There are several features which I found most valuable in Veracode Static Analysis. First, it has a user-friendly interface, so it is easy to use.

I also found its reporting features interesting because they give you visibility on the vulnerabilities and the associated risks.

The feature of scanning open source dependencies for vulnerabilities is also very interesting. You have a dependency graph which shows you how your libraries are embedded within your code, so you can also see what kind of dependencies you have from one library to another. This means if you need to upgrade to a free vulnerability version, you can assess the impact on other libraries as well.

There is also a feature that enables you to build your own dashboard. For example, if you want to query the database that is supporting the platform, you can build your own dashboard with some indicators regarding the vulnerabilities, your portfolio, or you can look for a specific type of library or a specific type of risk, and that's interesting when you want to have visibility on your key item. I use this feature often.

This solution has a clear interface, but there are times when you go to the menu of a scan, you have to open another page for the project, or if you need to link, you also have to link your scan to a specific project. Some people find it difficult to understand those different screens and menus.

When you want to retrieve specific information about the projects that are linked to your scan, it's not easy. Those pages need to be redesigned.

I also don't understand Veracode workspaces. Other people also find that feature difficult to understand.

Those are the features that Veracode needs to redesign.

I've been using Veracode Static Analysis for more than one year.

This product is stable. We only encountered a bug which affected the results, but it was just once in a year, so this solution is stable.

I was not involved in any scalability issues or concerns with Veracode Static Analysis. The scalability requirements for this solution would be easily met because it's a SaaS application, so it's supposed to be very scalable for customer needs. I would not expect much trouble regarding its scalability.

Technical support for this solution is good. Whenever we face an issue, we schedule a consultation with them. We had the opportunity to have a slot four or five days after scheduling. Their SLA is good, but sometimes I would expect a more proactive support, or support with more availability. If we are facing an urgent issue, waiting four or five days is long. I would expect a more proactive support, but when we talk to them, in general, they provided the answers we expected.

I'm rating their support a seven out of ten.

Prior to Veracode Static Analysis, the company was using the Black Duck solution. The reason for switching could be to have a SaaS-based solution, though I am unsure if Black Duck was an on-premises or a SAAS-based solution.

Veracode has a good recommendation and good scoring, so it was the opportunity to move to a more powerful solution with DAST, SAS, and SCA capabilities.

Since this solution also has DAST capabilities, with the midterm or long-term projects, it was expected to unify all those capabilities within one platform. It's more of a strategic reason why the company switched to Veracode Static Analysis.

We evaluated AppScan from HCL.

Veracode Static Analysis isn't deployed on-premises. It's a SaaS offering.

We are using Veracode Static Analysis for static analysis and SCA, and there is also a need for the DAST module for dynamic scanning. We are considering running a POC for this solution, but I don't have any other updates for the time being. I know its DAST features would also be useful.

We are currently using HCL AppScan for SAST, and because we are not very satisfied with that product, we are considering using Veracode Static Analysis for DAST.

A lot of people are using Veracode Static Analysis in our company, approximately 300 or 400 people: development team leaders, developers, and people who are very tech-savvy and using all their time to develop applications and new programs.

I don't have pricing insight for this solution. I was not involved in the project before this was deployed. I just read in forums that the price for Veracode Static Analysis is high, but I cannot provide any specific insight.

What I can tell others who are looking into implementing Veracode Static Analysis is that it is a platform that provides good features. Its reporting capabilities are interesting, and overall the platform gives high quality results. You can manage your vulnerabilities and your risks quite easily, and define your own mitigation strategies within the platform.

I'm rating this solution a seven out of ten.

We utilize it to scan our in-house developed software, as a part of the CI/CD life cycle. Our primary use case is providing reporting from Veracode to our developers. We are still early on in the process of integrating Veracode into our life cycle, so we haven't consumed all features available to us yet. But we are betting on utilizing the API integration functionality in the long-term. That will allow us to automate the areas that security is responsible for, including invoking the scanning and providing the output to our developers so that they can correct any findings.

Right now, it hasn't affected our AppSec process, but our 2022 strategy is to implement multiple components of Veracode into our CI/CD life cycle, along with the DAST component. The goal is to bridge that with automation to provide something closer to real-time feedback to the developers and our DevOps engineering team. We are also looking for it to save us productivity time across the board, including security.

It's a SaaS solution.

Our needs are primarily foundational and Veracode provides the efficiencies that we need.

The product is being used to replace another solution and we recognize in our early implementation that Veracode DAST is identifying more vulnerabilities in application code than our previous solution did.

Also, at this juncture, I have received no feedback of false positives from our development team. It seems to be fairly good in that regard and probably has minimal false positives. We haven't gotten feedback one way or another from developers about how the false positive rate affects their confidence in the solution, but if there were significant false positives, or even one in our environment, we would certainly be engaged with the vendor to discuss it. But that has not been the case so far.

Overall, I think that if it's implemented correctly for the business, Veracode is highly effective in preventing vulnerable code from going into production.

The visibility into application status helps reduce risk exposure for our software. Today, any findings provided by the DAST are reviewed by the developers and we have internal processes in place to correct those findings before there can be a release. So it absolutely does prevent us from releasing weak code.

Because we're so early in our implementation, we have had minimal feedback in terms of room for improvement. We have seen some minor things within the interface itself that we would love to see some improvements on.

One of those is scheduling, which can be a little difficult. For instance, if you set up recurring scheduled scans and a developer comes in and says, "Hey, I have this critical release that happened outside of our normal release patterns and they want you to scan it," we actually have to change our schedule configuration and that means we lose the recurring scheduling settings we had. We have to change that over to a one-time scan. It would be lovely if we could run ad hoc scans without changing our recurring schedule. That can be a little painful because it happens a lot, unfortunately. I think that will change, so I don't want to knock them completely. Right now, we run a manual configuration setup, but once we integrate this via API into our CI/CD life cycle, that issue should go away.

We have been using Veracode for four months.

So far, my impression of Veracode's stability is very good.

It appears to be very efficient when it comes to scalability. We're a smaller shop, so I may have a different interpretation of what scalability is. We're under 100 licenses at this point, but so far we have had success.

There are some great, positive things about Veracode and the relationship they try to form with the clients.

Regarding tech support, I've mostly had positive engagements, especially because they have one engineer who is, frankly, a rock star. I cross my fingers that I get him every single time because he's very thorough, he's educational, and he is quick. For the most part, it has been positive, especially when I do get assigned that particular engineer. I had a little frustration in the early days because they didn't quite understand the situation, but that was the only time I had a negative engagement with Veracode on support.

Positive

Our previous solution was difficult to configure. Setting up the login process was very difficult, as it was tied to your browser and there were a lot of hoops you had to jump through. The reporting was also hard to follow sometimes and didn't provide a good view into previous findings versus new findings. That made things difficult too. Once we did the evaluation of our old solution against Veracode, it was very clear that it was finding fewer vulnerabilities, which lowered our confidence level in that tool.

The initial setup was straightforward for us, and minimal, since it is a SaaS product.

The major component is being granted access to the tool. They then engage a customer success manager to help you understand and give you an overview of the interface itself and to walk you through some example setups. We were able to work with the CSM to configure a couple of our production scans. He did some hand-holding for us through the process until we felt that we understood it enough and had repeated it enough to do it on our own. He also provided detailed reviews of reporting, et cetera.

Deployment took less than an hour, although we have a small environment today. It would, obviously, take much more time with a larger organization.

Because we were migrating from one solution to another, it was an easy migration path. We just needed to collect the information from the previous solution and replicate that within Veracode.

One thing that can be difficult—and it was in our previous solution—is creating the login component for the scans. The learning about how to create that was a little daunting at first, because you have to create what they coin a "login script," but it is really just a recording of a login. Once you get it down, creating those "login scripts" takes less than a minute.

One of the struggles we have had with that recording process is that we have had to redo it more often than not if our developer has changed, even in some minor way, the way they collect information for the login. That does affect the script. That can be a little frustrating at times, but unfortunately, it is a known behavior apparently. It's just the nature of the beast if you do make any modifications to login.

As for admin of the solution, we have one person involved and it probably takes a quarter of their time or less. There is no maintenance since we have the SaaS product, other than ensuring that the scans that we have set up are still scanning successfully and that we don't have any failures.

Veracode has not reduced the cost of AppSec in our organization yet, but that's only because we are very early in the implementation.

We primarily looked at Netsparker as an alternative. 

My advice would be to understand how you want Veracode to function within your environment from a workflow perspective. That way, you can potentially start taking advantage of a lot of the functionality it offers out of the gate, which is something we are not doing yet. We're on a delay until 2022. That is really important. 

Also, in introducing the product to those who will be receiving the output, the findings reports, it would be great to include them in some conversation and collaboration on the move down that Veracode path or, frankly, any path that leads to scanning applications.

Veracode provides guidance for fixing vulnerabilities, although we haven't actually had to utilize that. But as a part of our licensing model, they provide us a certain number of opportunities to engage with someone for consultation.

We are not focusing on using the solution to enhance developer security training right now, although it is a part of our roadmap. We are banking on being able to utilize that aspect of Veracode because we are an Agile environment and we want developers to be able to engage that training. Also, when there are findings, we want our developers to get that assistance in real-time. That is a part of our 2022 strategy. 

We have started out with a much more narrow policy for ourselves because we are just learning about how the tool works and how it functions. But we did evaluate some of Veracode's policies, out of curiosity, and they seem to be very aligned and very helpful. However, I would not be able to speak to whether they are on the money for utilization against compliance frameworks.

I'm an automation practice leader and we are customers of Veracode.

The valuable features are the static analysis and the dynamic analysis. The security is also a good feature.

The solution has issues with scanning. It tries to decode the binaries that we are trying to scan. It decodes the binaries and then scans for the code. It scans for vulnerabilities but the code doesn't. They really need two different ways of scanning; one for static analysis and one for dynamic analysis, and they shouldn't decode the binaries for doing the security scanning. It's a challenge for us and doesn't work too well. 

As an additional feature I'd like to see third party vulnerability scanning as well as any container image scanning, interactive application security testing and IAS testing. Those are some of the features that Veracode needs to improve. Aside from that, the API integration is very challenging to integrate with the different tools. I think Veracode can do better in those areas.

I've been using this solution for four years. 

I haven't had any issues with the stability. 

The solution is scalable but if we scale too far then the performance is impacted. We have around 300 developers using Veracode. 

The technical support is good. Whenever we have any vulnerability issues, we can easily contact them and then have a triage with the technical support team.

The initial configurations were okay, but then the integration to the CI/CD pipeline was not so smooth. We had multiple rounds of calls with the Veracode engineers to get it up and running.

Veracode is very, very expensive, one of the most expensive security scanning tools available.
We pay an annual license fee that is over $1 million. 

For any company wanting to use Veracode and buying vendor binaries from third party vendors, it's important to get the legal and compliance clearance from the vendor as well. Some vendors have a policy that they're selling you the binary of a particular software but you're not supposed to decode it. Those are the general terms and conditions that every vendor gets you to sign but Veracode does decode and then scans for the vulnerabilities. It's a challenge for any company purchasing the solution from vendors.

I rate the solution six out of 10.

In India, we have a digital development center. I'm from the security team. There are teams who develop all the applications for security features and coding security analysis. We use the Veracode Static Analysis for all projects and applications within our organization.

All the top vulnerabilities are detected. This makes sure all our applications are up-to-date on market threats, which are occurring. It gives a good workaround process for the developers to secure their code and ensure all our applications are secure. Up-to-date vulnerabilities are detected. It detects the vulnerabilities in the market on time. We keep running the scan over regular intervals, which ensures that we are secure.

Veracode has helped with developer security training and building developer security skills. I had never used Veracode previously. The training portals really helped teach me how to run the scan, know the Veracode processes, what processes should be followed, and what Veracode is all about. The training has really helped everyone.

Veracode covers most policy scans of most of the top vulnerabilities, like mobile. It pretty much covers all the policies per our compliance guidelines.

We give the developer a specific SLA period to fix each severity part of the vulnerabilities. So, they have a certain time limit to fix it. They are very comfortable in receiving these threats and working on fixing them. 

We are very much confident in the SCA scanning mechanism. If things are going fine, we can push it into production. On scale from one to five, I can give it a four and a half.

There have been a lot of benefits gained from Veracode. Compared to other tools, Veracode has good flexibility with an easy way to run a scan. We get in-depth details on how to fix things and go through the process. They provide good process documents, community, and consultation for any issues that occur during the use of Veracode.

SCA enables developers to write secure code from the start. During the development process, we run the scan. If any threats or vulnerabilities occur, we make sure to fix them, then rerun the scan. Then, we move to production. We have all the applications of our organization on Veracode using CI for our pipeline.

We use the Static Analysis Pipeline Scan, and it provides a good benefit for our developers. Previously, we didn't have any of these kinds of tools within the organization. We were using a code quality tool, but Veracode also gives us code quality. It also detects the vulnerabilities within the application, which makes sure the quality of the application is treated well. Therefore, I can give it a rating of four and a half out of five.

The scanning could be improved, because some scans take a bit of time. 

Many developers have commented on the packaging. It is quite different compared to other tools, so the packaging of codes could be changed. They should make it more uniform.

On the reporting, there should be an option like sending reports to groups or task ID.

We have been using Veracode for one year within our organization.

The stability is good; there is nothing unstable about it.

SCA scales well. 

Most of the users are developers, about 90 percent. 100 to 150 employees are using Veracode as of now.

We have more than 30 applications. Some use it on a daily basis, then others use it on a biweekly or monthly basis.

We do have plans to increase usage. All our developers across our organization, across the globe, will start implementing Veracode within all their platforms or applications that they are developing very soon.

We receive guidance for fixing vulnerabilities in case something is new to us, or we are stuck from there. We can very easily get consultation through calls and emails, which gets things easily clarified. That means we get things done quickly.

We were using SonarQube previously, but just as a code quality tool.

The initial setup was somewhere between straightforward and complex. I am not a developer, so I would not know how to package these codes and send them in for a scan. What I prefer is if there could be some mechanism where if I am a layman, then I just need to run a scan of the application. After that, there should be some option where I can get the project details. Instead of doing the packaging or some changes in the uploading part, this change would really help anybody who had to run the scan.

We have multiple applications developed at our organization, but it didn't take much time to deploy the solution to each. If a new application comes into picture in our organization, we provide access, so they can start running the scan in one or two days.

SCA reduced the cost of AppSec for our organization, because of things like stability.

It scans quickly versus other tools, like Qualys, Burp Suite, SonarQube, and Nexus. 

I can be confident about more of our applications in production. We can be more confident against many kinds of external threats. The lesson learnt is about being proactive, which is a good thing in security.

Veracode integrates with our developer tool 95 percent of the time. It is supported very well because developers get to know why the security features are really important in any organization or application along with what they develop. They get to know the market standards of what the security threats are and how to fix them, making sure the coding or the applications are secure enough to move to production. However, with MuleSoft, it does not support most of the API parts.

We use cloud-based applications and take support from the community.

At the moment, we are only using SCA and Static Analysis, which we have been very satisfied with. However, we are not using their DAST or pen testing. 

In our organization, we concentrate on high-end and medium alerts, but we really don't bother much with false positives.

I would rate this solution as a nine (out of 10).