Veracode Reviews

We introduced SCA scanning to satisfy customer-requested open-source library scans as part of a contractional agreement. This led to expanding SCA scanning across our other applications to compliment SAST/DAST application scanning.

We knew we had a technical debt from not updating open-source libraries for years, and were not aware of the vulnerabilities in these libraries at the time. SCA scanning is now a first-class scan component of our current practices and included in our external security audits going forward.

Veracode SCA enables awareness of open-source library vulnerabilities and versions to upgrade and eliminate these problems. It links to SWE flaws and provides guidance on remediation.

The nature of discovering a vulnerability included in many places of the application code base makes initial findings look overwhelming. However, we found more the 80% of the time, simply updating the build project configuration to include new versions, rebuild, and rescan, resolved the vulnerability finding.

The remaining ~20% of findings required refactoring for deprecated methods or a shift in usage model to update to a newer version.

Multiple "Policy" profiles can be created to apply differently to different classifications of applications that include grace periods per severity. I find this a great way to manage team expectations and regulatory compliance on a per-scan and time-period cycle, leading to self-service compliance remediation.

The dependency graph visualization provides the ability to see nested dependencies within libraries for pinpointing vulnerabilities.

The Vulnerable Methods feature helps with sorting through those vulnerabilities that matter to my application codebase.

Three areas that we continue to struggle with are

1. Identifying and flagging false positives that reappear in other locations, where a rule that can catch other occurrences such that we don't have to repeat the override each time would help in productivity, and 
2. Improving sorting through findings reports to filter by only what is critically relevant will help developers focus on issues,
3. Add enterprise aggregate reporting, showing teams grouped in business units with trends per team and at the group level that can be sent by email as a digest with drill-in back to the dashboard.

We have been using SCA for one and a half years and SAST/DAST for two and a half years.

Scanning is reasonably consistent and reliable. Occasionally, a scan will fail or get stuck with a defect in the scanner or some unsupported implementation requiring escalation to Veracode to fix or work-around. 

Platform scan performance has improved over the years. Refrain from putting too much in your application package for scanning such that you keep a reasonably short scan time.

Veracode needs a more standard microservice pricing strategy such that optimizing SaaS solutions into microservices from monolith applications is not penalized. 

Technical support was difficult at times due to off-shore support that seemed to be reading from a script and not really understanding our issue. The time delays in response with the off-shore team and language concerns made resolving issues painful at times.

As we grew, we were assigned a local Security Program Manager as a point person for all escalations and that made all the difference. Our escalations are now taken seriously, with a consultation of the issue and swift resolution if warranted.

We previously use WhiteSource open-source scanning and switched to Veracode for consolidation of scanning tools with one vendor dashboard.

The initial setup for manual scan uploads is straightforward. Pipeline uploads can take some effort to get to work right. Setting up policy rules and charts for results is reasonably easy.

We implemented it through an in-house team. This a Quality Engineering Shared Service team with a part-time custodian that performs other roles, as well. We found the need to have a designated custodian per application scrum team to assure scans capability, and the scan frequency for that team is maintained, escalating any issue to the shared service team and/or Veracode directly, and for shepherding vulnerabilities through the backlog routinely.

We feel that security scanning is a necessary cost of doing business, especially with FedRAMP and other prescriptive certifications. The effort we put into scanning keeps our applications healthier with higher quality confidence.

When our scan pipelines work as intended, there is little human capital cost. If there are problems with the scan pipelines and/or scan results then this can become time-consuming to address.

The Veracode price model is based on application profiles, which is how you package your components for scanning. Veracode recently included SCA pricing and support pricing as a factor of the SAST scan count cost. When using microservices, you may need to negotiate pricing based on actual application counts where microservices are usually a portion of an application.

Synopsis and Checkmarx were explored for SAST/DAST scanning in 2017, prior to the use of SCA.

Veracode has evolved to be a good partner, overall, in working through our learning needs and problem escalations. There are layers of training and consultation available, as well as recurring support engagements if the enterprise scanning needs warrant it.

We focus on these two use cases: 

1. Our first use case is for Static Analysis (SAST). The purpose of it is to scan our code for any vulnerabilities and security breaches. Then, we get some other reports from the tool, pointing us to the problematic line of code, showing us what is the vulnerability, and giving us suggestions on how to fix or mitigate them.
2. The second use case is for the Software Composition Analysis (SCA) tool, which is scanning our open sources and third-party libraries that we consumed. They scan and check on the internal database (or whatever depository tool it is using), then they return back a report saying our open sources, the versions, and what are the exposures of using those versions. For any vulnerability, it suggests the minimum upgrades to do in order to move to another more secure version.

Veracode provides guidance for fixing vulnerabilities. It enables developers to write secure code from the start by pointing them to the problematic line of code, and saying, "This function/method has security vulnerabilities," then suggests alternatives to fix it. Then, we adopt their suggestions of the tool. By implementing it in the right way, we can fix the issue. For example, if the tool has found a method where it copied one piece of memory into another piece of memory in the code. The tool points to problematic methods with the vulnerability and provides ways to code it more securely.  By adopting their suggestions, we are fixing this vulnerability.

Once you run the tool and realize that it is not secure to use a certain method or function, then you fix it. Next time that you want to add new code, you don't want to repeat that mistake. So, you're already adopting the original suggestion, then writing more security code.

If we continued to scan and fix issues, which is an ongoing battle because every day as there are new vulnerabilities, we are on the safe side.

It is faster to adopt and use because it's a SaaS software. As a service tool, we didn't have to deal with any installation emails. We also didn't have to download packages, upgrade, or maintain their on-prem machine, which is usually the case for on-prem solutions. This is a critical point that we needed to consider when adopting the right tool. So, SaaS was a deal breaker for us. 

I don't have any complaints about the policy reporting for ensuring compliance with industry standards and regulations. It is good and a mandatory part of our process.

We tried to create an automatic scanning process for Veracode and integrate it into our billing process, but it was easier to adopt it to repositories based on GIT. Until now, our source control repository was Azure DevOps Server (Microsoft TFS) to managing our resources. This was not something that they supported. It took us some sessions together before we successfully implemented it.

About six months.

The technical support was good. Even with the time zones changes, they took the examples that we provided about how our call works and investigated them. When they didn't get an answer initially, they contacted someone else to assist. Overall, our experience was good.

The turnaround time and response times are good. We always got a response, even if they said, "It will take a while, as we are still investigating." One day after always, we always got a response, even if it was, "We need time to investigate." 

I would differentiate between the initial response time for our needs and the resolution time for the issue. The representative themselves respond pretty quickly to our needs. We exchange phone calls with them or email, and they responded quickly. Some of the issues that we experienced were due to our specific code languages and packages that didn't work smoothly with the tool. For those, the representative had to approach the Veracode R&D team. It took more time to involve R&D, but we eventually got a resolution from them after a few days.

To get into the solution, it took some tries to understand the structure of our repository and the code that we were using to write dependencies, etc. So, it took a bit of time, but then in the end, the solution was easy to connect.

It took about a month until we completed integration of Veracode tools into our own systems. Eventually, the tools needs to scan our code that resides on our machines in our on-prem environment. The integration of Veracode on the cloud with the on-prem repository and our processes took time. We worked with the Israeli representative of Veracode to help us. However, it was about a month overall until we stabilize it.

An Israeli sales representative for Veracode came to our office and worked very closely with us. They escorted us through the process of doing the PoC, examining the results and tools, and how to use them. We found it straightforward. There were some hiccups and some problems in the beginning, but not something significant in the general overview. It was easy and fast to adopt.

Our customers demand that we provide secure software. Veracode is giving us the mandate of claiming that our code is more secure because we are using an external third-party, neutral tool to examine our code and expose vulnerabilities. By fixing them, Veracode takes some of the responsibility, which is kind of a diploma that we can wave when we are negotiating with our customers.

We compared it with other tools as part of our proof of concept to adopt the right tool. Eventually, we selected Veracode because the tool provided us the easiest, fastest solution for our two use cases.

When we did the PoC to compare it with other tools, before we decided to adopt Veracode, one of the benefits that we saw is its reports are more focused on real issues. Other scanning tools that we tried, they produced much bigger reports with hundreds of vulnerabilities. That is too many vulnerabilities, so you cannot manage them nor decide where to focus. Using Veracode helps us focus where we need to.

We have used a Checkmarx tool, which is a competitor of Veracode. We have also examined Micro Focus Fortify and some other monitoring tools, which gave us a partial solution, had only static code analysis, or had only the open sources for composition part. We wanted one tool which does everything; we found Veracode all-encompassing.

The solution is efficient when creating secure software. Though, it depends on how you adopt the tool and how frequently you're running it. As long as you keep it as part of your routine and frequently run the tool, you will catch vulnerabilities closer to real-time. Eventually, you will improve the security of your software.

We haven't seen a lot of false positives. However, the tool points us to vulnerabilities to fix, which because of our behavior or software, we don't necessarily need to fix because we have other protections.

We are not using it for cloud software. Our solution is only on-prem.

I would rate this solution as an eight out of 10.

We use it to scan our biggest applications, our bread and butter. We've got a lot of developers using it in our organization, and we've got quite a few applications using it as well.

The solution has helped with developer security training and has helped build developer security skills. It has definitely opened their eyes and made them more aware of things they should look for. I try to get my developers to go to the Veracode seminars if there are new things to learn or if Veracode has made an improvement or they're going to announce something new. They have participated in those quite often, a few every month.

One of the features they have is Software Composition Analysis. When organizations use third-party, open source libraries with their application development, because they're open source they quite often have a lot of bugs. There are always patches coming out for those open source applications. You really have to stay on your toes and keep up with any third-party libraries that might be integrated into your application. Veracode's Software Composition Analysis scans those libraries and we find that very valuable.

We like their Dynamic Analysis as well. They changed the engine of the Dynamic Analysis and it does a better job. It scans better.

We use the solution’s Static Analysis Pipeline Scan. It's really good for assessing security flaws in the pipeline. Sometimes my developers have a hard time understanding the results, but those are only certain, known developers in my organization. I typically direct them to support, especially if I cannot answer the question, because I have full confidence in that process. 

The speed of the static scan is good. Our bread and butter application, which is our largest application, is bulky, and it's taking four hours. That's our baseline to compare the Static Analysis Pipeline and its efficiency. If that's only taking four hours, I have no doubt about our other applications and the solution's static analysis efficiency.

The solution’s policy reporting for ensuring compliance with industry standards and regulations is really good as well. We're a state agency and we always look to be NIST compliant. We're always looking at the OWASP and CWE-IDs, and Veracode does a really good job there. I've used it often in trying to get my point across to the developers, telling them how bad a vulnerability might be or how vulnerable the application is, based on a vulnerability we may be finding. 

If Veracode was more diversified, as far as the number of platforms and the number of applications it could do in our favor, we would be using it even more. But there are a number of platforms it doesn't support. For example, I know they support C+, .NET, and Java, but there are certain platforms they don't support and that was disappointing.

They have a pretty unique process to get guidance. It's not like you send them an email. You could do that, but if you want to set up a consultation call, you have to go to the website and give them a certain amount of detail so that they can study the problem and the detail and be ready to meet with you. It's not as simple as doing an email. You have to go to their website and you have to click on the "consultation" button and pick a time to talk with an engineer. Sometimes an engineer is not available for quite a while. You have to wait at least a couple of days before you can meet. Having to wait for two days is not that efficient. You should be able to set it up within 24 hours.

And regarding announcements from Veracode, I've tried to get them to let my developers know directly, and I'm not sure if that's happening. I want to tell Veracode to make sure that happens. I don't want them to send an announcement to me and then I have to disseminate that information to my developers. I want it to go directly to them. They've got the developers' names and emails in their database so those announcements should go directly to them.

I believe the company got Veracode at the end of 2012. However, my association with Veracode has only been since about the end of 2014. So we had it for a couple of years before I got my hands on it and then I gradually started to use it and implement it to the point where it's at right now. Early 2016 is when I began administering it. I do other tasks, so it's not my full-time job. Veracode is just one of many hats that I wear. Nobody else administers it with me in our company.

Veracode support is really good. I get a lot of help from them. I've been on a few calls with my developers and they're very competent engineers. If they don't have the answers, they'll get back to you.

I feel that management would not approve it if we were not getting our money's worth out of it. We have definitely seen ROI from Veracode.

Going forward, though, what may bring that into question is our transition to the cloud. We're not getting any benefit from those applications in the cloud. I think that should be addressed sooner rather than later.  We're moving to the cloud more, and for our applications in the cloud we usually only go with FedRAMP-certified cloud vendors. So we're not actually even scanning those applications in the cloud with Veracode. Not all our applications are there, but close to 30 percent of them are there now.

And they have to address not being compatible with certain platforms that we use. That has to be addressed because the ROI question may be coming up sooner rather than later.

The solution is very pricey.

The product is very good, very reliable, and they've made a lot of improvements to the dashboards and the reports. They've made the product easy to use. There used to be a lot of things that you had to search for and maneuver to dig deep down for them, but you don't have to do that anymore. Many of the things are now at your fingertips, including performance reports. Those things are easy to get to. 

We're required to make sure we have no high or very high security issues in our code. Veracode is a code reviewer to prevent hacking and other bad things from happening.

The way it helps our company is that the code is secure. It also helps with our customers because I believe they can request a copy of the report. It lets them know that we're doing the best we can to provide secure software.

The solution has helped build my security skills as a developer. Now, as I proceed forward, I know what to look for when coding items. I'll be coding a little bit more defensively from what I've learned, from all the errors that it has found. Some of the stuff I wasn't even aware of. I also became aware of things that Veracode verified, but I really couldn't fix.

The policy reporting for ensuring compliance with industry standards and regulations is excellent. It identified most of the issues that our penetration testers look for and gave me a way to look at the line numbers of the code that needed fixing, and that was a huge help. It also gave me samples of code for what was going wrong and it enabled my supervisors and me to go through the whole project and fix 99 percent of the issues we had.

It provides visibility into application status across all testing types in a centralized view. The report is very good at showing that. We are not allowed to install anything until it passes the Veracode test. We have to fix all errors before we can install our software. It absolutely helps reduce risk exposure for our software.

I haven't come across any false positives.

The reporting being highly accurate is pretty cool. I use another product and I was always looking for answers as to what line, which part of the code, was wrong, and what to do about it. Veracode seems to have a solid database to look things up and a website to look things up. We've had very few issues that we have actually had to contact Veracode about.

It does give some guidance, up to a point, for fixing vulnerabilities. It does a pretty good job of that. We went from a bunch of errors to a handful that I needed help with, and that was mostly because they provided some good information for us to look at. If I had been using this product a long time ago, I would have been able to anticipate a lot of things that Veracode discovered. The product I'm working on is about 12 years old and this was the first time we ran scans on it using Veracode. It identified quite a few issues. If you're starting a new project, it would be a good place to start. Once you get used to what people like penetration testers are looking for, this is a good tool to prevent having a pen test come back bad.

The Static Analysis Pipeline Scan is very good. It found everything that we needed to fix.

The triage indicator was kind of hard to find. It's a very small arrow and I had no idea it was there.

We have been using Veracode for about three months.

The stability seems pretty good. There was only one instance where the site was down.

I don't think Veracode has any problems with scalability. My company is very big. There are about 1,000 of us, all developers, using the solution. It's being used throughout the company for all our products.

I would give their technical support five stars out of five. They were on point and they helped us identify resolutions for some of our issues that we couldn't figure out.

We used Fortify. I was not involved in the decision to switch.

I don't really know about the pricing, but I'd say it's worth whatever Veracode is charging, because the solution is that good. It's just a good product, overall.

The biggest lesson I have learned from using Veracode is that there isn't an answer for everything. But when an area needs to be mitigated the mitigation process is fairly easy.

It's pretty efficient, but in my case it took a long time to upload my information. It was a very big project, so I was not surprised that it took a long time, but it was mostly because of the internet around here. It would take a long time to upload the DLL and run the static analysis. It would take about two hours, but again, it's a large project.

Overall, it does a very good job of preventing vulnerable code from going into production. It identified issues that were not detected in penetration tests and allowed us to lock them down.

We are using Dynamic Application Security Testing (DAST), Static Application Security Testing (SAST), and Static Component Analysis (SCA). We use different types of scanning across numerous applications. We also use Greenlight IDE integration. We are scanning external web applications, internal web applications, and mobile applications with various types/combinations of scanning. We use this both to improve our application security as well as achieve compliance with various compliance bodies that require code scanning.

Veracode's cloud-based approach, coupled with the appliance that lets us use Veracode to scan internal-only web applications, has provided a seamless, always-up-to-date application security scanning solution.  

Our Veracode license includes a "people component" that allows developers to request an in-person session to be scheduled to review a defect. This has helped our application security personnel pool to free up time for other pursuits. I'm not sure if this is included in all licenses or is an add-on.

Being cloud-based is a huge plus. All of our scans are always using up-to-date scan signatures and rules, and there is nothing for us to maintain.  Veracode has been spot-on with notifying about planned downtimes for maintenance and upgrades.  In my years of using the product, unplanned downtimes have been minimal (in fact I can't remember one.)

The API integration that allows integration with other tools, such as defect trackers and automated build tools, is also a benefit. We also like the integrated, available "in-person" support sessions to review and ask questions on discovered defects.

We've had one occasion where a sub-product upgrade required action on our part faster than we initially understood it needed to happen.  This ended up being relatively minor.  

One feature I would like would be more selectivity in email alerts. While I like getting these, I would like to be able to be more granular in which ones I receive. 

Separately, I find the results console somewhat confusing.  When you are running multiple scan types for the same application, I've sometimes found it difficult to sort out where issues came from when I need that information.

We have been using Veracode for over four years.

Our solution is highly stable with minimal downtimes.  (In fact I don't recall the last time there was an unplanned Veracode cloud outage that impacted us.)  We previously had occasional issues with the scan appliance model, but the relatively recent switch to the ISM model has been much more stable.

Given that is is cloud based, coupled with their newer app-based internal scan model, we are pleased with the scalability and have not experienced any issues with scale.

As mentioned in prior comments, Veracode is simply put our best vendor in terms of relationship, value-add, and customer service/technical support. We get responsive answers from support, and their support resources clearly understand the product, and issues are resolved quickly.

Yes. We used a legacy, heavyweight dynamic scanning product. It would produce hundreds of pages of (mostly) false positives that were nearly impossible to digest and tune. We also didn't have a static scanning product. Moving to Veracode gave us much higher quality dynamic scanning with very few false positives (in part due to their model of human-assisted tuning, provided by them) and a robust static scanning solution.

The setup was easy and straight forward. We had some issues with API calls from our build automation tools, but this was related to networking issues in reaching the Veracode servers on the Internet, not the Veracode product itself.

We implemented with all in-house resources.

We achieve greatly improved security, earlier detection of security defects in the lifecycle, and as well as neatly meeting compliance requirements.

For the value we get out of it, coupled with the live defect review sessions, we find it an effective value for the money. We are a larger organization.

Checkmarx and SonarQube.

Of all the tools vendors I have relationships with, Veracode is simply our best vendor in terms of partnership, value add, and support responsiveness. 

Veracode is a cornerstone of our Development Security Operations Program, particularly scanning automation and remediation tracking.

We've been able to monitor the release cycle and verify our Security Standards are met by setting policy and ensuring scans are taking place. If a scan fails to meet our standard the build breaks and the flaws are remediated before releasing to Stage and ultimately Production -  where the potential impact is much more costly. 

We have discovered opportunities to make our code even better thanks to Veracode!

Veracode has improved our Application Security program by providing numerous integrations and tools to take our AppSec/DevSecOps to the next level. 

Integrations into our developer's IDE (Greenlight) and the DevOps Pipeline SAST / SourceClear Integrations has particularly increased our time to market and confidence.

In many ways, Veracode has increased productivity, helped build and improve security and development departmental relationships as well as enabling developers to consider and care about application security. 

Greenlight - Developers can test their code before they commit. They are able to privately scan their code and correct any mistakes before it is committed into the build and scanned with the other components.

SAST - During a build process, we have integrated the Veracode Static Scanning (SAST) component which provides an excellent first glance at the code moving through environments.

SCA /SourceClear - Veracode SCA / Source Clear has given us excellent visibility into potential vulnerabilities found in third-party components, packages, frameworks, and libraries.

Improve Mobile Application Dynamic Scanning DAST - .ipa and .apk. Right now I have to jailbreak an iPhone and Root an Android to intercept and fuzz requests with a Burp Suite Proxy.

That is a very time-consuming process and there are lots of dependencies. It would be very helpful if we can upload and .ipa or .apk into a Veracode simulator, provide credentials and run a Dynamic scan accordingly. Fuzzing functionality on API resources, HTTP Methods, and Parameters would also be very useful in testing our Web and API Application Firewalls, response pages, and other WAAF actions.

I have been using Veracode for about two years now.

It seems to be very stable, no problems thus far.

It has lots of growth potential, lots of room for improvement.

Exceptional!

Previously used Burp Suite, OWASP Zed Attack Proxy, Python scripts / Powershell and Batch, Retire.JS, Vulners, and Wappalyzer browser plugins.

The initial setup very straightforward and integrations were up and running in a matter of days after purchase.

Implementation was in-house (Deployment, Automation Engineers, Myself)

Unknown - productivity and time are measurable, possibly as much as 20%. Improvement in cross departmental relations is priceless!

We also evaluated WhiteHat Security.

The primary use case for us was looking for web applications that might have vulnerabilities that could be compromised. Specifically, I was managing a team and we had built a lot of applications as well as having purchased applications from vendors. We were working with a security team to go through and scan those applications for vulnerability using Software Composition Analysis. We were trying to avoid situations where somebody could do something that they should not be able to do like get at data.  

The product helped improve our organization by helping us to identify potential problems in applications and fix them before they were used in a way that they should not be. In essence, it helped enhance our security. I think another thing is that it did is it did kind of helped us with the general education level of staff working on the projects. Developers or technical stakeholders specifically were presented with the opportunity to understand things that maybe they did not before.  

We were not doing the training piece of the process when we were onboarding the product, but just adopting the platform definitely increased their awareness and knowledge about potential issues in development and application vulnerabilities.  

One of the best things about the solution is that I think it is kind of easy to get started using it. The pain of adoption is low. Once you got the code scanned, there is a lot of information that you have to plan time to go through and work with other teams to get things resolved or disposition.  

I think that it was easy to get started, but there was also definitely a learning curve in terms of people needing to understand what the reports meant and what to do about the information that they were getting.  

There is a concept called false positives where things might come up as a potential issue but they really are not. In our case specifically, we might get a false positive when a potential vulnerability is discovered through Veracode analysis, but the way that the application is built makes it so what appears to be a vulnerability is not really an issue. Stated a different way, even though there might be something that prevents that particular event from ever happening, the product does not correctly detect the safeguards or the impossibility of the issue arising.  

When a false positive gets reported by the Composition Analysis, it results in more work for you to do than you should have to. There is a lot of information to go through and so some of it is due to those false positives. You either have to do work to eliminate the false positives being identified, or you have to look at the alert and determine that it is harmless.  

As far as what might be added in future releases, more artificial intelligence capabilities would be desirable. I do not know if they have it now. Maybe one example could be to make more focused suggestions or give more information in the reports to locate the cause of the issues. It should be something that improves results over time so that people do not have to do as much work to understand the details.  

I have been using Veracode Software Composition Analysis for probably around three years.  

I would say it is definitely stable. There were no problems with the platform itself. It has been reliable. We never had issues where we needed to call support.  

I think the opportunities for scalability are good because we did not come upon issues that caused us to wonder about its limitations. We have not really pressed to find scalability problems. So my impression is that scalability is good. We did not experience issues due to bottlenecks or anything like that.  

Our group of users contained a mix of roles. It was developers, project managers, testers, information security analysts, and engineers. It was probably a total of around 30 to 40 people.  

For deployment and maintenance, there were really just like a couple of people. There was not a full-time dedicated need for it.  

There were times when we had to deal with support when we ran scans and we were reviewing results. There were times when we needed to either open a ticket or talk to somebody who had some expertise in a specific area. That process was timely and they were responsive. So that was good.  

Veracode actually has a separate subscription that you can participate in that is something like a learning management catalog. I think that the training piece of support has definitely improved over the course of when we used it.  

We did have a different product, but it was a little bit for a different purpose. We were using a different product but complemented the Veracode product. 

The initial setup was pretty straight forward. That is part of it being an easy solution to get started with.  

The deployment started smaller in employing the product to analyze a subset of our applications. It initially was being employed to look at the vendor applications that we had. I would probably say that initial period was about three to six months. That effort was focused on one group and did not really include all of the technical people and developers.  

Once we saw what it could do, it got adopted and we rolled it out to more people. So we kind of employed it in stages. The first part, which was essentially a test period, was three to six months. Then pushing it out for broader adoption in the next part was another three to six months.  

We did not use integrators. We did have the training and we did have professional services in the form of customer support from Veracode.  

I do not remember the licensing costs off hand. I would probably estimate it to be between 50,000 to 75,000 in our case.  

The advice that I would have for people who are new to the product would be to start with a proof of concept. This will help you to see how the product works with your process and people.  

The biggest lesson I have learned from using this solution is that it definitely increased my education on how to prevent application vulnerabilities earlier on and how not to repeat them. It also helped me as a manager to better understand how to guide and coach people.  

On a scale from one to ten where one the worst and ten is the best, I would rate this product probably as a  seven, if I am going back in time. I thought that there was room for improvement, but at the same time, it did what we needed it to do. We got what we expected. So I thought it was good, but I also think there were some additional manual steps or work involved that we should not have needed to do. That is really why I do not rate it with a higher number.  

The primary use case was scanning a single-digit number of applications. We scanned them about twice a year and that's about it. It was just to get the results. We used the results to gauge our security health.

The feature that was most valuable to us was the ability to point locally in a quorum.

The cost of the solution is a little bit expensive. Expensive in the sense that there was a hundred percent increase in cost from last year to this year, which is certainly not justified. 

The solution needs to be more flexible. It needs to work with clients more effectively. 

Right now, the licensing model is based on the number of applications as opposed to being flexible and based on the number of developers or based on some other parameters. This constrains our company in terms of defining what an application is and doing the scans. We have an application with multiple deposit rates, but Veracode has a hard time recognizing the different components sitting in different depositories as one application. 

The solution is pretty similar to others. There wasn't anything that was so startlingly different it would make us want to stay.

I had been using the solution for a while, but I am currently in the process of moving off of it.

The solution is stable. we've never had any issues surrounding its stability.

There's nothing to scale. Asking if the solution is scalable or not isn't applicable in this case. It's not an active load balancer. It's just a static scan. If it was dynamic, there may be a question around scalability, but it is not.

Technical support team is quite good. However, if we're talking in terms of how Veracode recognizes clients and deals with them, I'd rate them as bad.

We did not previously use a different solution. We've only used Veracode.

The initial setup has a moderate level of difficulty. It's neither simple or complex.

We handled the implementation ourselves.

The solution recently doubled in price over the past year, which is why I've decided to move away from it. The price jump doesn't make sense. It's not like there was a sudden influx in new features or advancements.

Without getting too specific, I'd say the average yearly cost is around $50,000. The costs include licensing and maintenance support.

I handle software composition analysis. Currently, I'm moving away from Veracode.

I don't know which version of the solution I am using currently. It's not quite the most up-to-date version.

If a company is looking for a long-term partner, and not just a transactional solution, I'd suggest a different company.

I'd rate the solution eight out of ten.