Veracode Reviews

My main use case for Veracode is related to code scanning as well as third-party library scanning. In addition to my main use case with Veracode, I also used it for penetration testing.

The best features Veracode offers in my experience include product discovery, specifically library discoveries as well as remediation timelines, pull requests, and others. I also explored sandboxes.

The Remediation Timelines feature helps us in our workflow by ensuring we abide by certain compliance regulations, and it helped us prioritize high or critical vulnerabilities beforehand so that we pass the compliance checks.

For Library Discovery with Veracode, it was effective in terms of finding transitive dependencies, which allowed us to identify what libraries we need to update and recognize both direct and indirect vulnerabilities.

Veracode has positively impacted our organization by giving us a good chance to focus on development as we don't need to focus as much on compliance-related matters after we have ensured this level of security on the security posture management for our application. Veracode helped us focus on development by reducing our manual work, and the suggestions for fixes were valuable.

Veracode could be improved in terms of the UI platform as it could be more seamless, and if they allow different sessions in different browsers at the same time or in different tabs that would help tremendously. I feel Veracode doesn't need any additional improvements beyond what we have discussed.

I have used Veracode for about two years in my previous organization.

Veracode is stable for me with no issues with uptime or reliability that I have experienced.

Veracode handles growth and increased usage effectively.

The customer support with Veracode is good, as I have interacted with their support team. I would rate the customer support of Veracode an eight on a scale of one to ten.

Before using Veracode, we used SonarQube.

We did see a return on investment with Veracode, as we segregated our remediation efforts, which reduced our time to delivery as well as the number of engineers needed to help us in delivering a secure solution.

My experience with pricing, setup cost, and licensing for Veracode is that it is fairly moderate.

We did not evaluate other options before choosing Veracode; we directly moved to Veracode.

I would advise others looking into using Veracode to go for code scanning as well as library scans, and I would recommend adopting it. I would rate this review an eight out of ten.

The challenge was not about implementing Veracode, but rather about the way we scan and the product that we have right now is based on different components, and Veracode was not able to support it. Ultimately, we are moving out of Veracode.

We are looking at Black Duck and Polaris.

The product was great. We had no issues with Java-related matters, but we want everything across the board to be scanned.

There were many issues when we were uploading code. The size restrictions that you enforce, the way the results are presented, and the difficulty in finding details for C and C++ all forced us to move off of it.

It was less than a year.

I wouldn't call it, because that is a different thing and represents the individual strategy of each company. So, I do not want to comment on that particular aspect.

We have already used Veracode before.

We were using the cloud version. We are using multiple clouds, not for Veracode specifically, but in general, we are using multiple clouds. We had some issues with the code.

We were able to integrate it with our CI/CD engine. But I am not very sure about the other third-party integrations.

We are looking at Black Duck and Polaris.

We have used Veracode only for third-party libraries until now. We have automated that and have onboarded the Dev team to directly scan from their pipeline. We have integrated the CI/CD in that way. We try to see whether the third-party libraries they have been using are safe versions, and if not, we are able to guide them along. For static scan, we primarily use Fortify. With Veracode, I do not have much experience because Fortify is our main tool. 

We are the security personnel. We give proper guidance to the development team and use Veracode whenever scans are in queue or stuck, helping to provide clarity on findings. We have guided the development team with the tool so that, as security auditors, we do not have to do that. We have given guidance to the development team since every release needs code without vulnerable dependencies or vulnerable code. We have guided them in a way that they can access such tools, where they can see the report, and where vulnerable code is present.

Veracode's policy reporting for ensuring compliance with industry standards and regulations is satisfactory. Veracode provides visibility into application status at every phase of development.

Veracode has impacted our overall security posture because we are from a security background. Every week, we review the dashboards of open findings. We use both Veracode and Fortify findings, as we are using two separate tools - one for SAST and one for dependency-related issues. When we highlight these in our meetings every day, it gives us a picture of the timeline needed to fix the code. We are using that feature regularly, and it helps significantly.

The product could be improved in its reporting. The scanning process could be more streamlined as it has certain limitations when performing manual scans. It has some checks when the content is in ZIP format or other formats, which takes two or three more steps than Fortify does. From a technical point of view, I may not be the best person to answer that since I haven't used it regularly. Other than the scanning process, I think it is acceptable.

I have been using Veracode for a couple of years.

I would rate its stability as a six out of ten based on my personal opinion.

It is scalable. I do not face any issues with the product's scalability.

The technical support by Veracode is good because we have encountered problems before, and the team supported us effectively. For technical support, it deserves a rating of eight out of ten.

Positive

It is somewhat complex compared to Fortify. As a Fortify user for almost five years, I find Veracode complex, but others in my team who have used it for eight to nine years don't find such issues. When we were doing manual scans before CI/CD integration, it was easier.

It took approximately four to five months to onboard the solution because it was new to developers as well. There was a certain process to be followed to get access and integrate it into the CI/CD tools. We had to explain the report format to them, showing where they could find vulnerabilities and how they could fix the code, including finding safer versions of libraries and dependencies. This took almost half of 2023, and now in 2025, they do not need our help except for technical problems when there are numerous scans in the pipeline.

The pricing is reasonable compared to other tools.

I haven't used the Veracode Fix feature that produces AI-generated fixes. 

The fact that Veracode doesn't scan source code, only binary code, is not a concern because we have certain projects that work with this approach. The AI functionality could be innovative, though I haven't experienced it yet. Regarding the breadth of Veracode's end-to-end testing versus competing solutions, I would rate it as eight out of ten.

Overall, I would rate Veracode a seven out of ten.

We have now switched to another solution but our use case was SAST.

Veracode was crucial to our shift-left security strategy, as we implemented it into our transformation projects. We defined internal strategies to use Veracode in the earlier stages of application development. Each sprint received application code, and we consistently scanned it using Veracode, reducing many security flaws early in development. This proactive approach helped developers to address any remaining flaws. Additionally, we defined a Jira workflow specifically for SAST bugs to track and manage security issues effectively.

Veracode helped with policy compliance. We have proposed Veracode for SAST to our stakeholder in the banking plarform. They have specific security policies that the code needs to accommodate. We have two sets of policies defined: one is the default policy in Veracode, and the other is provided by stakeholders from the chief security team, who have imported policies relevant to the banking platform. The default policy is not sufficient to ensure the code is secure, so stakeholders provided more security policies relevant to their domain and the platform.

Our actual application code was a CAT-A application, meaning it had to pass SAST and DAST testing for deployment into production. This was a mandatory check from our perspective to get the code deployed into production. We have internal strategies to implement Veracode in different phases of our application deployment. Before going into production, we do SAST testing in lower environments and then one round of testing in higher environments based on bug-fixing code. We are cautious about deploying directly into production after completing security testing in Veracode because we continually receive bug-fixing code from different applications. So, we defined our strategy this way.

Veracode provided visibility into application status at every phase of development, including static analysis, dynamic analysis, composition, and penetration.

Most of the fixes relate to password encryption or some kind of SQL injections. If there are any security flaws verified against the policies defined by our stakeholders, as well as Veracode's, and if they pose a potential risk of breaches, Veracode provides excellent recommendations for fixing those security flaws. This detail helps us address the issues efficiently, as it specifies where fixes need to be applied and the implications of ignoring them. The options for developers to provide false positive comments or justification through Jira tickets if a fix cannot be implemented for a particular release are also very useful. These features in Veracode significantly aid developers in addressing security flaws in the code.

Because scanning takes a long time for uploading any kind of large application code, I would estimate we saved around 30% to 40%. After implementing our strategy for SAST within our platform, we started doing SAST scanning in Veracode for every sprint. This frequency is crucial because, without Veracode, it could be very difficult to implement such a strategy in the earliest stages of application development.

Veracode had a positive impact on our security posture. 

The good thing about Veracode is that when one scans the respective application code, all the people who are part of the transformation project can update their reviews. If there are any security flaws or vulnerabilities identified, they are able to provide sufficient justification or details about the security flaws. This helps developers fix the respective flaws in the application code, which we appreciated because it made it very easy for us to assist with fixing the application code from the development perspective.

Its cost and the long scanning times for large applications are the areas for improvement. We had integrated Veracode with other tools in the DevOps pipeline, such as Ansible and Jenkins. However, we faced a challenge, so we implemented Veracode offline, out of the DevOps pipeline. We had issues with scanning large applications. Scanning took a lot of time, so we kept it outside the DevOps pipeline to avoid delaying deployments. We defined different strategies to utilize Veracode for analyzing static-related security bugs in application code.

I would rate it a seven out of ten for stability. If the Veracode server is down, we experience many issues during the scan, and sometimes the scan gets interrupted, requiring us to restart it.

For scalability, I would rate it a nine. It has a good capacity to scale effectively.

We had 15 to 20 licenses.

We never used Veracode support. We only worked with the stakeholders provided by the customer. They were supportive. 

The responsiveness and quality of documentation from Veracode are notable compared to other tools we are currently using, where we often struggle to find the same level of support.

Positive

It was easy.

I estimate we saved around 60% to 70% of our resources with Veracode.

Pricing-wise, I find it a bit expensive because it's based on the number of users requesting access to Veracode.

Lower budget products may struggle to incorporate all of Veracode's capabilities into their processes.

We were looking for a tool in the market that could provide support for SAST or static analysis security testing. We wanted to implement it in the earlier phases of our transformation project. We looked into the analysis of different tools in the market, and then we decided that Veracode was the right tool at the time to provide more support for the SAST testing in our transformation project.

Veracode stands out when compared to other solutions, especially regarding predefined security policies and their support for implementing the DevSecOps pipeline.

I do not have concerns about Veracode not scanning source code, only binary code. In previous scans of the same code with different tools, Veracode has identified more security flaws, so I don't worry about the scanning process. It effectively spots the security flaws.

I would recommend Veracode to other users, but you must consider the cost aspect. If an organization has sufficient funds for spending on this SAST tool, I would still strongly recommend it because of the extensive documentation and defined policies. 

Veracode allows for customized policies based on domain and platform, which is beneficial for collaboration among multiple users and teams. 

I would rate Veracode an eight out of ten. Implementing Veracode has been challenging in the DevOps pipeline due to long durations, which can delay production deployments. Hence, we established a separate strategy solely for SAST scanning, leading to my rating of eight.

It helps our organization's ability to fix flaws very quickly. It helps in that aspect. We have fixes, remediation guidance to help fix issues. Veracode provides a training platform for developers to ensure they have awareness and knowledge, so they have a place to get information. It helps our developers save time, but we don't have many metrics on that.

When it's used, it's helpful. That's about making people use it and requiring it to be used. It has been used at times, and we could get issues resolved and things fixed. It was quite advantageous for some time. I'm in a different part of the team now, and I've seen that since I've left, the numbers have gone the other way. Somebody was showing me how they just got big old backlogs of things, and they're not even able to keep up with issues. That's when they're working with Code Fix. They try to get them to use Veracode Fix, which will speed up things for development, so the security team's support team will not be backlogged.

It gives notifications to prevent vulnerable code from going into production. It doesn't stop anything from going into production, but it notifies you. You can then consider not promoting that code. The values and assessments it provides can be introduced in the different areas in our development cycle and pipeline.

Regarding visibility into application status in every phase of development, such as static analysis, dynamic analysis software, and SAST, I would say that's not possible when considering every phase of development, such as requirements and architecture, as it's not part of that. However, from where it is engaged in the software development lifecycle standpoint, it provides that information.

The most valuable features include the total developer experience, along with regulator exposure and DevOps pipeline. It encompasses everything as an enterprise solution. In an enterprise, you want developers to be able to do things easily. You want to be able to monitor development in IDEs and the environment states of working pipelines. You want to integrate DevOps pipelines that do scan assessments and evaluation, and promotion to later stages in the pipeline and testing cycles. You still want your security team to be able to access data or pull information for evaluations or regulatory compliance, and report back to corporate compliance.

For the teams that use it, it does affect the time to remediate security flaws. It fixes issues directly in the IDE while you're doing it.

Many teams now have IDE plug-ins and the ability to generate fixes in the code. It's becoming more of a standard thing. They focus on creating security fixes and tools. A nice addition would be if it could be extended for scenarios with custom cleansers.

I've used Veracode for a while now.

Their support is pretty good.

Positive

I don't know why they switched, but it was the decision made before I joined the company, and then the pandemic hit. It was delayed, but it had already been paid for, so eventually the switch happened.

They did evaluate other options before choosing Veracode. I'm not familiar with the process they used, but they absolutely did evaluate. I've seen documentation, and Checkmarx was on that list as well.

From a policy standpoint, industry policy and related matters, you have to adjust and adapt things for systems and solutions. It's capable, but another part of the company is responsible for some of that. We may not necessarily get feedback, so with the ability to use it effectively, I don't think we've matured as an organization to take advantage of it effectively.

Veracode isn't important to the organization's shift-left security strategy itself. It's a tool. You have the strategy, you set the strategy, and you find a solution that will adhere to and work with the strategy. That's generally the goal. Veracode works well with the strategy once you decide and define it. Strategy is set, and then you select the tool.

Veracode is a very good tool, especially from a compliance standpoint. I would rate it an eight out of ten.

Static scanning is one component of Veracode. That feature we use heavily to scan all the custom code we write weekly. We use another component called software composition analysis to scan all of our open-source packages. These are the two primary use cases that we have for Veracode.

It flags any security flaws or bad practices. Veracode has its own database for many vulnerabilities identified on the SCA side. They use a tool called SourceClear, which validates vulnerabilities in any of these packages. The scanner itself is pretty good at identifying some of the flaws in either the code or the open-source packages.

Our organization is more secure than without Veracode. It has improved our security posture because we're running it. It's hard to gauge what that would be without it because we haven't had any security issues since I joined the company. 

Veracode is very good at ensuring compliance with industry standards. It has helped us fix flaws. We know what's there, and there's generally a decent explanation for fixing each flaw. It's a quicker time to market. It's easy to figure out the problem and solve it so that we don't have exposed vulnerabilities in the market. 

It has helped developers save time. We generally resolve all our flaws within seven to 20 business days after they are identified. Veracode is crucial to our shift-left strategy. We have automated scans, so we scan all our code every weekend. Today is one of those days, so it's usually the time when we come in, see there's a new problem, and immediately start working on it.

Static scanning and software composition analysis are very helpful. My colleagues and I don't need to be experts on all of those ancillary things, so we can focus more on the business deliverables.

They have a pretty good tool that allows me to run scans of my local integrated development environment. I can find a lot of those flaws a lot sooner than I would if I had to wait for these cloud-based scans. They've come out with some sort of automated fix feature. I haven't used it, but they gave us a demo of it, and that one looks promising. I don't know if it's ready for prime time yet. 

The usability isn't good in Veracode. Sometimes, it will show a problem, but it's difficult to go into their tool and figure out where it is. You primarily use a web browser to access their system. It requires a lot of clicks. The static analysis is a separate part of their system from the SCA, so that's a bit difficult. They haven't fully integrated that. It's difficult for the consumer.

We have used Veracode for about five years. 

Veracode's stability is 50-50. They deploy new versions of their engine. Recently, the new version identified flaws in the code that were six months to a year old.  

Veracode seems to scale pretty well. We scan 60 to 70 applications every weekend without any problems. 

I rate Veracode's support engineers eight and their frontline support four. Their engineers are typically good and helpful. If I open a tech support ticket, I usually get a Veracode engineer. Those guys are good. I would rate their other support people poorly. 

Neutral

Veracode is straightforward to deploy. It's a general automated dev ops strategy. It's a responsibility shared among 20 to 30 people.

Veracode is a decent value, depending on what you're trying to achieve. It's pretty good for security flaws.

I rate Veracode six out of 10. I would recommend Veracode to others. The scanner is best in class, but the rest, not so much. 

I use Veracode to implement solutions with security and to define rules, for example, for the network and the traffic of the network. Those are the main scenarios where I have interacted with Veracode. I use Veracode in the banking sector.

It makes it very easy to track and monitor activity. The visibility via the boards is very good. It enhances operations. 

The flexibility to define rules and the ability to update those rules on the fly are valuable features. It has boards where it is easy to track or monitor the activity. This is something that brings value and enhances the operation. Whenever we need to update a rule or make changes, you need to do it quickly, and this makes it possible. 

Maybe the boards could be made easier to understand or easier to customize.

I've had some interactions with this solution. 

It's quite stable. It's a very good solution.

This is easy to scale. If I need to add new infrastructure, I just need to start scanning or include new segments of the network. It will automatically include new infrastructure or it will escalate. Cloud solutions are easier to scale than on-premise solutions.

I haven't interacted with support. However, it's got good support. They respond very quickly since security is something critical. It will depend on the severity of the requests.

Positive

I was using a legacy solution, and we tried to migrate to a new solution like Veracode. However, I was not a part of deciding which solution to move to.

I was not involved in the initial deployment. 

Especially in banking, security is a must-have. If we have weaknesses in security, it will cost a lot. For example, hacking or people trying to access their networks. The scanners of Veracode bring status of the weaknesses in the current infrastructure. 

It scans and provides reports regarding the servers, the network, and the applications running on those servers. It's a very valuable kind of solution. Trying to do it manually would be costly and increase the risk of mistakes if we try to identify all those bugs in the architecture. Using an automated tool brings cost reduction and more security.

The pricing is competitive. It's not the most expensive solution. It also brings some benefits in comparison to other options. 

I would give Veracode an eight out of ten. 

I do not have any specific advice for people considering using Veracode.

We use Veracode for static code analysis of our applications in two main ways: reactively and proactively. For the reactive approach, we run automatic scans nightly after developers merge changes from feature branches into the release branch. Proactively, we use the Veracode Greenlight plugin, which checks for vulnerabilities when developers try to commit code, even on feature branches, only allowing commits after passing these checks.

I appreciate Veracode's SAST and SCA features, which help to find open-source vulnerabilities. I'd estimate it's about 98% accurate, though some false positives occasionally exist. Our team has been using it for a long time. 

We sometimes use the free access to the tool's application security consulting team. We reach out to them when we've tried to change our code based on its recommendations but still can't achieve 100% green status. They help us fix issues in real-time through screen sharing and development work.

We saw the tool's benefits long ago when we first implemented it. Security is a top priority for us when working for a bank. We recognized the solution as one of the best tools in the market and decided to integrate it into our pipeline. We set up quality checks in our pipelines so that any code with high or critical vulnerabilities can't even be deployed to the development environment. This proved helpful for our team. Now, we have a quality gate that checks the Veracode status before any code goes into production. If Veracode scanning shows no vulnerabilities, the code can only be deployed to production. We strictly follow this process and have made Veracode an integral part of our Software Development Life Cycle approach.

Veracode has also helped us save time, especially with its proactive approach. The Greenlight plugin works directly in our IDE and is particularly helpful.

The solution should include monthly guidelines, a calendar, or a newsletter highlighting the top vulnerabilities and how to resolve them using Veracode. Its  policies should be up-to-date with NIST standards and OWASP policies.

I think if it could be enhanced with AI capabilities similar to Copilot, it could be even more beneficial in guiding developers and catching potential issues early in the development process. The solution should also come up with docker images. 

I have been using the product for six years. 

The product's support is good. 

Positive

The solution's deployment is easy. 

I rate the overall product an eight out of ten. 

I use Veracode in multiple places including static code analysis, penetration testing, and dynamic code analysis. It is part of our pipeline and integrates well with Bitbucket and Git pipelines.

The ease of integration with Bitbucket pipelines and Git pipelines is vital for us. Veracode allows us to easily summarize issues and provide quick, actionable insights. It offers confidence by preventing exposure to vulnerabilities and helps ensure that we are not deploying vulnerable code into production.

Veracode can improve the licensing model as it is a bit confusing. 

Additionally, threat modeling and asset management could be made more general rather than very specific.

I have had experience with Veracode for a few years now, at least a couple of years.

I have seen an upward rating of eight or more out of ten. They are very responsive and quick to help with queries within our scope.

Positive

We considered other solutions but have stuck with Veracode due to an enterprise level licensing deal and it serving our immediate important needs.

The licensing model is a little confusing, but we have a good relationship in terms of how it is set up. The pricing and model align with the needs of the developer community and the cybersecurity office.

I would recommend this solution as it is adaptable for threat modeling and penetration testing on contemporary tech stacks. 

Overall, I rate the solution an eight out of ten.

My company is a financial and technical enterprise with involvement in healthcare as well. We use Veracode for scanning, utilizing both SAST and DAST approaches. The purpose of static testing is to assess our code for vulnerabilities before deployment. After completing this step and addressing any identified issues, we run dynamic application security testing on the applications we've created to ensure there are no vulnerabilities introduced after the build. These could be issues that arise during the execution of the code, rather than being inherent to the code itself.

Additionally, we are currently considering or in the process of transitioning to Veracode for a specific function known as Software Composition Analysis, which is among the services they offer.

In terms of my use cases, I oversee approximately 200 development teams managing around three to four hundred projects. About 30 percent of these projects are connected to Veracode. Moreover, I manage a user base of over 700 individuals, and many of our build pipelines include immediate SAST scanning during the building process.

We currently use Vericode Cloud, specifically the public cloud. At the moment, I am in the process of deploying two Veracode ISM management servers from their platform. These servers will be responsible for scanning our internal applications that are not exposed to the external world. One significant aspect is that our company decided to transition to the cloud approximately three years ago. Initially, we had 27 data centers scattered worldwide, but now we have reduced that number to five. By the end of this year, we plan to further decrease it to three, and eventually, we will likely have only one or two data centers in the future. However, there are certain things that we cannot migrate to the cloud.

Veracode's ability to prevent vulnerable code from being deployed into production is excellent. It is considered one of the best scanning tools available. We have conducted several comparisons between Veracode and other products in the market, and Veracode consistently ranks first among those we have tested.

With Veracode, the amount of vulnerable code that gets through is almost negligible. When we run a scan, we don't expect to find any significant vulnerabilities because the SAST usually catches almost everything.

Veracode's policy reporting for ensuring compliance with industry standards and regulations is excellent. It is applicable to us as a multinational company with PCI and HIPAA requirements, and we also engage in government projects. Consequently, we are obliged to adhere to any relevant regulations, which is why we have implemented numerous policies that automatically alert us when any action might potentially violate the established guidelines.

Although Veracode can offer visibility into the application's status at every phase of development, we do not rely on manual penetration testing because we have our own testing team. Instead, we use SAST from the moment our developers start typing the code until the deployment phase. 

The visibility has significantly expedited our DevSecOps process. Now that we've integrated Veracode and included it in our build pipelines, we can provide feedback on potential issues and vulnerabilities in their code much more quickly. Our team appreciates and is delighted with this improvement because, previously, we had to wait until the builds were completed, then run DAST and subsequently present them with ten pages of issues, which would take them ten to fifteen days to address. By adopting a left-shifting approach, we've moved the bar further to the left, reaching a point where we can hardly get closer than we are now while they are actively coding. The only way to provide them with even faster information about potential vulnerabilities in their code would be to offer feedback as they type and when they push the code to the main build. Unfortunately, as of now, there are no tools available that can accomplish this.

Veracode has been a great benefit because it allows developers to log in to their code and examine the specific vulnerabilities they were informed about. Typically, there is a description of why and how the vulnerability occurred, along with guidance on how to resolve it. Veracode significantly aids our organization in fixing flaws.

Veracode helps our developers save time. While I cannot provide a precise estimate of the actual time saved, I can explain that the more we shift the SAST to the left, meaning running it as soon as the developers enter their code, the more time we can save. This is because when developers have the code fresh in their minds, they have a better understanding of what they wrote and how to fix any vulnerabilities based on the provided descriptions. On the contrary, if we shift the SAST further to the right when the code is already completed and possibly being reviewed by a different developer, it will take more time for them to understand the original code and the vulnerability's context. Thus, the original developer could have fixed the vulnerability in a shorter period of time. Additionally, considering the learning curve for new developers down the line, it becomes even more crucial to have the original developer fix the vulnerability promptly. If we only run DAST without SAST, we might end up with a long list of ten thousand potential vulnerabilities, which would require weeks of work just to address them all sequentially from the start.

Veracode has had a significant impact on our organization's security posture. When I first arrived, we were only connected to about three different teams. Originally, we only had seven or eight teams. Now, we have almost two hundred teams. One of the most significant changes is that even with those seven or eight teams, only two or so were using Veracode. However, we gradually added more teams as they came on board. Subsequently, there was a major organizational change, and Teams were divided into smaller, more compact, and agile units, which is the new trend in the industry. As a result, the teams are now much smaller, more diverse, and more agile. We are now connected to 70 percent of the two hundred teams. We have expanded considerably, but there is still more to achieve. The efficiencies have improved significantly, and the developers are satisfied with this progress. This shift is excellent for security because we were usually known as the "no people," but now we are transforming into the "yes" and "let me help you with that" people.

Veracode has reduced the cost of our DevSecOps, just from the 25 percent time-saving. The most expensive factor is not computers or technology, but rather, it's people. If I were to add together all of the salaries of the individuals and compare the amount of time saved to the total salary cost, I could cover the expenses for my infrastructure twice over a year. 

The most valuable feature is the SAST capability and its integration into the Veracode pipelines.

From what we have seen of Veracode's SCA offering, it is just average. The SBOM is adequate, but it's essentially the same as what everyone else is doing. In terms of SCA, they are about average compared to other systems. Therefore, I would like to see some improvements. 

SAST, DAST, and SCA in a single pane of glass would be a good upgrade to Veracode.

We are a Jira and Confluence shop and I would like to have a really good integration with those tools. 

We have a ticketing system that not too many companies have ever heard of. In fact, I had never heard of it before coming here. Instead of using a well-known industry standard like ServiceNow, we use a ticketing system called Cherwell, which also has an open API. Having an API for the ticketing system would be really beneficial.

I would prefer if Veracode offered more options for licensing, such as a pipeline or project license instead of a user license. Currently, I have around seven hundred users, but I manage fewer projects. Therefore, I believe it would be more beneficial and efficient for me if Veracode could adopt a project-based pricing model. In reality, I have multiple teams working on various projects simultaneously. Pricing based on the number of projects I have up and running would be more suitable for my needs compared to the number of developers working on a particular project.

One thing that I would like to be able to do is to receive a daily summary of the emails I currently receive. With numerous ongoing projects, constant scanning occurs, resulting in a high volume of emails about what is being processed. I believe it would be helpful if Veracode could create a daily summary of these emails. This way, I can easily track the number of actual emails I receive without having to go through each one individually. As of now, I already have 65 emails from Veracode, specifically regarding the processes that ran today.

I have been using Veracode for three years.

I have almost never seen any downtime with Veracode.

The scalability is excellent because we utilize Veracode on their cloud infrastructure, and we handle dozens of projects daily.

I've never had a problem that didn't get solved, or at the very least, get immediate feedback. So, I would say their technical support is very good.

Positive

I previously utilized a solution provided by IBM in my previous organization, but later we transitioned to a company named WhiteHat Security. The reason for this switch was that when we conducted a scan using the IBM solution, it returned a result of ten thousand vulnerabilities. It was my responsibility to review the vulnerability report and clear out any false positives. However, this task was extremely time-consuming, taking nearly forty hours to complete. The reason behind the prolonged effort was the spidering scan performed by the IBM solution, which continually traversed different pages through various links, leading to repetitive errors that required matching and deduplication. Out of the ten thousand vulnerabilities, approximately a thousand were legitimate, and the scanning capability was limited to DAST. To address these challenges, we migrated to WhiteHat Security. With WhiteHat's scanning process, the number of vulnerabilities was reduced significantly to around six or seven hundred. Their approach outperformed my manual efforts in identifying duplicates and further eliminated non-duplicate vulnerabilities that were caused by the same piece of code.

When I joined my current company they were already using Veracode.

The initial setup was straightforward. We connected to the Veracode cloud, so essentially, we are operating on their public cloud. Whenever we run any process, we send our code to them. They execute it, and we receive feedback from the execution.

I have not been involved in the initial deployment of Veracode, but I have been involved in deploying the pipelines, creating and building out the ISMs, and also administering users. Recently, we moved and integrated it with our single sign-on. Since we're using Okta, we performed the integrations, and now everyone connects through Okta.

We utilized a value-added reseller, and they provided integrators themselves. Additionally, we have direct connections with Veracode. So, my understanding is that we likely received assistance from both the value-added reseller's team and Veracode.

We have monthly calls with Veracode. I work directly with engineers and have access to their email addresses and telephone numbers. This way, whenever there's a problem or an issue, I can easily reach out to someone. Additionally, I receive almost daily emails regarding recent developments and occurrences.

We have seen a return on investment. We have two hundred teams, and approximately 70 percent of them are integrated with Veracode, running pipeline scans on about 50 percent of those. The remaining teams conduct manual SAST scans instead of using pipeline scans. We have likely saved 25 percent or more of the time it takes developers to go from a startup project to the final build and deployment, just by addressing vulnerabilities.

We pay based on the number of developers working on a particular project.

Our organization evaluated four or five different solutions before selecting Veracode. The issue with the others was that they only offered either SAST or DAST, but not both, whereas Veracode provides both.

I would rate Veracode an eight out of ten. Veracode needs to improve its SCA capabilities to become a market leader rather than a market follower. Another noteworthy area they are starting to focus on is container security. I assume they will compete with Laceworks and other companies in that domain, which makes it worth keeping an eye on.

Veracode's software build of materials feature is integrated into the software composition analysis, which we are currently exploring for utilization. However, at this time, we are using a third-party product for that purpose.

Veracode's false positive rate is very low based on what we have found. However, there are instances where it becomes confused, identifying one type of vulnerability when it is actually a different type that appears similar. Nevertheless, we always conduct verifications before approving a list of vulnerabilities for the developers to address. We thoroughly go through and verify at least most of the different types to ensure their validity. My team verifies the false positives, so the developers almost never see them. Because we don't encounter many false positives, we don't spend a lot of time fine-tuning policies. We'll make some minor adjustments, and it should mostly resolve the issue until we encounter a different type of false positive. Then, we'll have to address it separately.

One of the other things that I have observed recently is a tool called Veracode Fix. We have not examined it yet, but it's worth considering. Normally, we avoid implementing too many automated fixes because sometimes they end up causing even more issues, particularly when dealing with legacy code while transitioning to Veracode. Allowing automation could potentially lead to the application being permanently shut down, especially in cases like Software Composition Analysis and Software Bill of Materials where we may need to upgrade to a different or less vulnerable, open source piece of code. If we upgrade without ensuring compatibility with our existing setup, it could break numerous things. Hence, we previously attempted to use automated fixes, but the outcome was negative, and we have decided never to repeat that mistake. Therefore, it's something we plan to explore, but we need to ascertain if there have been any changes in that type of setup.

For someone who wants to use Veracode but is concerned about the cost, the amount of time saved, especially on the SAST side of things, makes it worthwhile.

We are a multi-cloud organization primarily using AWS, with 25 percent of our infrastructure on Azure and a smaller portion on Google Cloud. We are currently using Google services only because we are a Google shop rather than a Microsoft Office shop. As a result, all of our emails are managed through Google, and we rely on Google Docs and other related tools. 

There are four architects and a group of DevSecOps professionals who work directly with the development and operations teams. They form the security component of the organization and are responsible for operating Veracode on a daily basis. Their primary role is to assist the developers in integrating Veracode into their workflows, setting up pipelines, and collaborating with them when vulnerabilities are identified. They are available to help the developers understand why they received a vulnerability and guide them on how to address and eliminate it.

The only maintenance we will have to deal with is related to the ISM servers. These ISM servers are actually controlled by our company. There is an on-prem link to the Veracode cloud. When they conduct their scan, they access the server, which acts as a jump box. This enables them to scan our internal applications that do not have direct access to the outside world.

Veracode is a good Dynamic Application Security Testing tool, but it excels as an outstanding Static Application Security Testing solution for organizations that prioritize serious security measures.