Veracode Reviews

My company is a financial and technical enterprise with involvement in healthcare as well. We use Veracode for scanning, utilizing both SAST and DAST approaches. The purpose of static testing is to assess our code for vulnerabilities before deployment. After completing this step and addressing any identified issues, we run dynamic application security testing on the applications we've created to ensure there are no vulnerabilities introduced after the build. These could be issues that arise during the execution of the code, rather than being inherent to the code itself.

Additionally, we are currently considering or in the process of transitioning to Veracode for a specific function known as Software Composition Analysis, which is among the services they offer.

In terms of my use cases, I oversee approximately 200 development teams managing around three to four hundred projects. About 30 percent of these projects are connected to Veracode. Moreover, I manage a user base of over 700 individuals, and many of our build pipelines include immediate SAST scanning during the building process.

We currently use Vericode Cloud, specifically the public cloud. At the moment, I am in the process of deploying two Veracode ISM management servers from their platform. These servers will be responsible for scanning our internal applications that are not exposed to the external world. One significant aspect is that our company decided to transition to the cloud approximately three years ago. Initially, we had 27 data centers scattered worldwide, but now we have reduced that number to five. By the end of this year, we plan to further decrease it to three, and eventually, we will likely have only one or two data centers in the future. However, there are certain things that we cannot migrate to the cloud.

Veracode's ability to prevent vulnerable code from being deployed into production is excellent. It is considered one of the best scanning tools available. We have conducted several comparisons between Veracode and other products in the market, and Veracode consistently ranks first among those we have tested.

With Veracode, the amount of vulnerable code that gets through is almost negligible. When we run a scan, we don't expect to find any significant vulnerabilities because the SAST usually catches almost everything.

Veracode's policy reporting for ensuring compliance with industry standards and regulations is excellent. It is applicable to us as a multinational company with PCI and HIPAA requirements, and we also engage in government projects. Consequently, we are obliged to adhere to any relevant regulations, which is why we have implemented numerous policies that automatically alert us when any action might potentially violate the established guidelines.

Although Veracode can offer visibility into the application's status at every phase of development, we do not rely on manual penetration testing because we have our own testing team. Instead, we use SAST from the moment our developers start typing the code until the deployment phase. 

The visibility has significantly expedited our DevSecOps process. Now that we've integrated Veracode and included it in our build pipelines, we can provide feedback on potential issues and vulnerabilities in their code much more quickly. Our team appreciates and is delighted with this improvement because, previously, we had to wait until the builds were completed, then run DAST and subsequently present them with ten pages of issues, which would take them ten to fifteen days to address. By adopting a left-shifting approach, we've moved the bar further to the left, reaching a point where we can hardly get closer than we are now while they are actively coding. The only way to provide them with even faster information about potential vulnerabilities in their code would be to offer feedback as they type and when they push the code to the main build. Unfortunately, as of now, there are no tools available that can accomplish this.

Veracode has been a great benefit because it allows developers to log in to their code and examine the specific vulnerabilities they were informed about. Typically, there is a description of why and how the vulnerability occurred, along with guidance on how to resolve it. Veracode significantly aids our organization in fixing flaws.

Veracode helps our developers save time. While I cannot provide a precise estimate of the actual time saved, I can explain that the more we shift the SAST to the left, meaning running it as soon as the developers enter their code, the more time we can save. This is because when developers have the code fresh in their minds, they have a better understanding of what they wrote and how to fix any vulnerabilities based on the provided descriptions. On the contrary, if we shift the SAST further to the right when the code is already completed and possibly being reviewed by a different developer, it will take more time for them to understand the original code and the vulnerability's context. Thus, the original developer could have fixed the vulnerability in a shorter period of time. Additionally, considering the learning curve for new developers down the line, it becomes even more crucial to have the original developer fix the vulnerability promptly. If we only run DAST without SAST, we might end up with a long list of ten thousand potential vulnerabilities, which would require weeks of work just to address them all sequentially from the start.

Veracode has had a significant impact on our organization's security posture. When I first arrived, we were only connected to about three different teams. Originally, we only had seven or eight teams. Now, we have almost two hundred teams. One of the most significant changes is that even with those seven or eight teams, only two or so were using Veracode. However, we gradually added more teams as they came on board. Subsequently, there was a major organizational change, and Teams were divided into smaller, more compact, and agile units, which is the new trend in the industry. As a result, the teams are now much smaller, more diverse, and more agile. We are now connected to 70 percent of the two hundred teams. We have expanded considerably, but there is still more to achieve. The efficiencies have improved significantly, and the developers are satisfied with this progress. This shift is excellent for security because we were usually known as the "no people," but now we are transforming into the "yes" and "let me help you with that" people.

Veracode has reduced the cost of our DevSecOps, just from the 25 percent time-saving. The most expensive factor is not computers or technology, but rather, it's people. If I were to add together all of the salaries of the individuals and compare the amount of time saved to the total salary cost, I could cover the expenses for my infrastructure twice over a year. 

The most valuable feature is the SAST capability and its integration into the Veracode pipelines.

From what we have seen of Veracode's SCA offering, it is just average. The SBOM is adequate, but it's essentially the same as what everyone else is doing. In terms of SCA, they are about average compared to other systems. Therefore, I would like to see some improvements. 

SAST, DAST, and SCA in a single pane of glass would be a good upgrade to Veracode.

We are a Jira and Confluence shop and I would like to have a really good integration with those tools. 

We have a ticketing system that not too many companies have ever heard of. In fact, I had never heard of it before coming here. Instead of using a well-known industry standard like ServiceNow, we use a ticketing system called Cherwell, which also has an open API. Having an API for the ticketing system would be really beneficial.

I would prefer if Veracode offered more options for licensing, such as a pipeline or project license instead of a user license. Currently, I have around seven hundred users, but I manage fewer projects. Therefore, I believe it would be more beneficial and efficient for me if Veracode could adopt a project-based pricing model. In reality, I have multiple teams working on various projects simultaneously. Pricing based on the number of projects I have up and running would be more suitable for my needs compared to the number of developers working on a particular project.

One thing that I would like to be able to do is to receive a daily summary of the emails I currently receive. With numerous ongoing projects, constant scanning occurs, resulting in a high volume of emails about what is being processed. I believe it would be helpful if Veracode could create a daily summary of these emails. This way, I can easily track the number of actual emails I receive without having to go through each one individually. As of now, I already have 65 emails from Veracode, specifically regarding the processes that ran today.

I have been using Veracode for three years.

I have almost never seen any downtime with Veracode.

The scalability is excellent because we utilize Veracode on their cloud infrastructure, and we handle dozens of projects daily.

I've never had a problem that didn't get solved, or at the very least, get immediate feedback. So, I would say their technical support is very good.

Positive

I previously utilized a solution provided by IBM in my previous organization, but later we transitioned to a company named WhiteHat Security. The reason for this switch was that when we conducted a scan using the IBM solution, it returned a result of ten thousand vulnerabilities. It was my responsibility to review the vulnerability report and clear out any false positives. However, this task was extremely time-consuming, taking nearly forty hours to complete. The reason behind the prolonged effort was the spidering scan performed by the IBM solution, which continually traversed different pages through various links, leading to repetitive errors that required matching and deduplication. Out of the ten thousand vulnerabilities, approximately a thousand were legitimate, and the scanning capability was limited to DAST. To address these challenges, we migrated to WhiteHat Security. With WhiteHat's scanning process, the number of vulnerabilities was reduced significantly to around six or seven hundred. Their approach outperformed my manual efforts in identifying duplicates and further eliminated non-duplicate vulnerabilities that were caused by the same piece of code.

When I joined my current company they were already using Veracode.

The initial setup was straightforward. We connected to the Veracode cloud, so essentially, we are operating on their public cloud. Whenever we run any process, we send our code to them. They execute it, and we receive feedback from the execution.

I have not been involved in the initial deployment of Veracode, but I have been involved in deploying the pipelines, creating and building out the ISMs, and also administering users. Recently, we moved and integrated it with our single sign-on. Since we're using Okta, we performed the integrations, and now everyone connects through Okta.

We utilized a value-added reseller, and they provided integrators themselves. Additionally, we have direct connections with Veracode. So, my understanding is that we likely received assistance from both the value-added reseller's team and Veracode.

We have monthly calls with Veracode. I work directly with engineers and have access to their email addresses and telephone numbers. This way, whenever there's a problem or an issue, I can easily reach out to someone. Additionally, I receive almost daily emails regarding recent developments and occurrences.

We have seen a return on investment. We have two hundred teams, and approximately 70 percent of them are integrated with Veracode, running pipeline scans on about 50 percent of those. The remaining teams conduct manual SAST scans instead of using pipeline scans. We have likely saved 25 percent or more of the time it takes developers to go from a startup project to the final build and deployment, just by addressing vulnerabilities.

We pay based on the number of developers working on a particular project.

Our organization evaluated four or five different solutions before selecting Veracode. The issue with the others was that they only offered either SAST or DAST, but not both, whereas Veracode provides both.

I would rate Veracode an eight out of ten. Veracode needs to improve its SCA capabilities to become a market leader rather than a market follower. Another noteworthy area they are starting to focus on is container security. I assume they will compete with Laceworks and other companies in that domain, which makes it worth keeping an eye on.

Veracode's software build of materials feature is integrated into the software composition analysis, which we are currently exploring for utilization. However, at this time, we are using a third-party product for that purpose.

Veracode's false positive rate is very low based on what we have found. However, there are instances where it becomes confused, identifying one type of vulnerability when it is actually a different type that appears similar. Nevertheless, we always conduct verifications before approving a list of vulnerabilities for the developers to address. We thoroughly go through and verify at least most of the different types to ensure their validity. My team verifies the false positives, so the developers almost never see them. Because we don't encounter many false positives, we don't spend a lot of time fine-tuning policies. We'll make some minor adjustments, and it should mostly resolve the issue until we encounter a different type of false positive. Then, we'll have to address it separately.

One of the other things that I have observed recently is a tool called Veracode Fix. We have not examined it yet, but it's worth considering. Normally, we avoid implementing too many automated fixes because sometimes they end up causing even more issues, particularly when dealing with legacy code while transitioning to Veracode. Allowing automation could potentially lead to the application being permanently shut down, especially in cases like Software Composition Analysis and Software Bill of Materials where we may need to upgrade to a different or less vulnerable, open source piece of code. If we upgrade without ensuring compatibility with our existing setup, it could break numerous things. Hence, we previously attempted to use automated fixes, but the outcome was negative, and we have decided never to repeat that mistake. Therefore, it's something we plan to explore, but we need to ascertain if there have been any changes in that type of setup.

For someone who wants to use Veracode but is concerned about the cost, the amount of time saved, especially on the SAST side of things, makes it worthwhile.

We are a multi-cloud organization primarily using AWS, with 25 percent of our infrastructure on Azure and a smaller portion on Google Cloud. We are currently using Google services only because we are a Google shop rather than a Microsoft Office shop. As a result, all of our emails are managed through Google, and we rely on Google Docs and other related tools. 

There are four architects and a group of DevSecOps professionals who work directly with the development and operations teams. They form the security component of the organization and are responsible for operating Veracode on a daily basis. Their primary role is to assist the developers in integrating Veracode into their workflows, setting up pipelines, and collaborating with them when vulnerabilities are identified. They are available to help the developers understand why they received a vulnerability and guide them on how to address and eliminate it.

The only maintenance we will have to deal with is related to the ISM servers. These ISM servers are actually controlled by our company. There is an on-prem link to the Veracode cloud. When they conduct their scan, they access the server, which acts as a jump box. This enables them to scan our internal applications that do not have direct access to the outside world.

Veracode is a good Dynamic Application Security Testing tool, but it excels as an outstanding Static Application Security Testing solution for organizations that prioritize serious security measures.

I worked as a security tester for a service-based Indian IT company. I had the admin right on the application where I used to provide access to other developers so they could execute unit-level tests directly from their console. There are many types of security testing activities, such as false positive analysis or looking into the code from a secure point of view, getting the mitigations done, and then retesting the applications.

We initially had more than 15,000 vulnerabilities. Veracode helped us to regulate all the teams. I gave the consult level access and a basic level of access to developers. My manager and I trained the developers in secure coding practices.

DevSecOps is a process that helps improve security in software development. From a DevSec perspective, it is a great way to improve security in software development. However, from a DAST perspective, it is not as good because the results cannot be easily integrated into the CI/CD pipeline. Integration with Jenkins is seamless. It didn't make much of a difference for us, but it could be different for other applications of the latest technology. Veracode has the feature of issue creation in the Jira portal itself. For example, if we're scanning an application and Veracode reports 15 issues after the security scan is complete, the solution will automatically create Jira tasks related to security, which can be assigned to the appropriate developers. Veracode is good from that perspective, but it needs more evolution. The solution needs moderation because if by some chance a big module or issue pops up, we could get 10,000 issues. That would be a real complication from the Jira point of view.

When it comes to false positives, I used Veracode for two-and-a-half years and it has been fine and fair.

When our developers find a false positive it doesn't make much of a difference. They are just happy knowing what is wrong and right. Developers know how to code, but they don't know secure coding. We are generally there to guide them and most of the time, I used to do the false positive analysis by myself and not leave it to the developers. The developers would get a refined and concrete number of vulnerabilities to quickly work on. In some cases, the developers also find issues that we missed because we have to work on multiple applications at once.

I don't believe there's any cost related to the machine-learning side of Veracode, but it takes a lot of time because SaaS issues are those that couldn't be resolved by a junior or intermediate-level developer generally. Most of the time, these issues are resolved by people with five-plus years of experience because there are security issues. To understand the security complications, we need to have some knowledge of the architecture and design levels of the application. If we don't have design-level information, it's difficult to correct. Without a senior-level developer to guide us, it can cost us a lot. The senior resources getting deployed could be used elsewhere for more development activities. However, the mitigation is provided by Veracode and the detailed report is very good.

Veracode has helped fix flaws affecting our organization by making the applications a lot more secure.

We use a code review-based tool, so the unique aspect of Veracode is that it is really good for legacy or old technologies. It can scan old databases and old code written 20 years back.

Depending on the technology we are working with, the solution's ability to prevent vulnerable code from going into production whether it is Java-based code or ASP.net, the efficient number of identification codes is the best in the market for legacy technologies. I would use Fortify or Checkmarx to test accordingly using the latest code.

The best feature I like about Veracode is the ability to give low-level access to accounts. The identity access management system is really good and we can even integrate it with the ID. For example, if we're coding in Eclipse or something similar we can push the code from the ID directly into Veracode's backend to have its security tested. It is cloud-hosted and the downtime is very minimal. We could check the results anywhere, anytime. This makes the platform's independence very good. 

The solution provides visibility into application status at every phase of development. We can see and make adjustments accordingly at each level.

Veracode is a great solution for old applications. I would only recommend Veracode for older applications.

One of the most important areas that need improvement for Veracode is its DAST. Veracode's DAST engines are primitive. They need to work on that. It needs to be their number one priority.

The number of vulnerabilities and quality of the latest technology when compared to other scan engines such as Fortify and Checkmarx is not as good.

Veracode has multiple sides when it comes to dynamic testing. They offer software composition analysis, dynamic scans, and static scans. However, I would not recommend Veracode for dynamic testing because it wasn't able to scan many of our applications properly. Some of the other solutions were really efficient and proactively reported a lot of vulnerabilities. The Veracode scanner was not able to properly scan the applications because of authentication issues and login issues. HP Web Inspect and Microfocus Web Inspect allow us to make scripts by ourselves, which will then enable the scanner to scan the website in a more proper and systematic way. There were a lot of complications with Veracode's dynamic point of view, and a negligible amount of vulnerabilities were reported. On the other hand, when I tried Next Parker or Micro Focus Web Inspect, things were really good.

If we have to scan the latest code, for example, if we have written a piece of code in Angular or Node.js, we can't consider the solution because it is not as good as other solutions using newer code.

I have been using Veracode for two and a half years.

Veracode is stable, but every now and then something breaks. From a stability standpoint, I would give the solution a seven out of ten.

Veracode is scalable. I give the scalability a ten out of ten.

The technical support is really slow. Their availability is sparse. It sometimes takes two months to have a resolution.

Negative

I started my career with Veracode, a DAST review tool. I worked there for two-and-a-half years.

The solution is not deployed on our systems. It is cloud-based and only requires logging on.

The requirements for the code determine whether Veracode is the best option or not. If the code is 15 to 20 years old, and it is very important, then Veracode is the best option. If the code is very new, then I wouldn't want to spend any money on the solution. It all depends on the requirements.

There is a fee to scale up the solution, which I consider expensive.

We did POCs and collaborated with Fortify, Veracode, and Checkmarx to see who gives the best results for all the applications. Veracode gave the best results, so we chose them for our organization.

I give the solution a six out of ten.

Veracode has not directly helped our developers save time. There was no interaction between the Veracode team and us, so it was minimal whenever some issues such as false positives are reported by the solution. There were some issues with the Veracode engines a few times that required customer support to resolve.

I used to go to Veracode's website and log in. It was updated automatically, and I could access it from multiple devices. I'm not sure which cloud they were using, but it was managed by Veracode.

We have around 18 people using Veracode and two of them are administrators.

Veracode is accessed via a website on the internet. Their backend team takes care of any maintenance that is needed.

I use Veracode to implement solutions with security and to define rules, for example, for the network and the traffic of the network. Those are the main scenarios where I have interacted with Veracode. I use Veracode in the banking sector.

It makes it very easy to track and monitor activity. The visibility via the boards is very good. It enhances operations. 

The flexibility to define rules and the ability to update those rules on the fly are valuable features. It has boards where it is easy to track or monitor the activity. This is something that brings value and enhances the operation. Whenever we need to update a rule or make changes, you need to do it quickly, and this makes it possible. 

Maybe the boards could be made easier to understand or easier to customize.

I've had some interactions with this solution. 

It's quite stable. It's a very good solution.

This is easy to scale. If I need to add new infrastructure, I just need to start scanning or include new segments of the network. It will automatically include new infrastructure or it will escalate. Cloud solutions are easier to scale than on-premise solutions.

I haven't interacted with support. However, it's got good support. They respond very quickly since security is something critical. It will depend on the severity of the requests.

Positive

I was using a legacy solution, and we tried to migrate to a new solution like Veracode. However, I was not a part of deciding which solution to move to.

I was not involved in the initial deployment. 

Especially in banking, security is a must-have. If we have weaknesses in security, it will cost a lot. For example, hacking or people trying to access their networks. The scanners of Veracode bring status of the weaknesses in the current infrastructure. 

It scans and provides reports regarding the servers, the network, and the applications running on those servers. It's a very valuable kind of solution. Trying to do it manually would be costly and increase the risk of mistakes if we try to identify all those bugs in the architecture. Using an automated tool brings cost reduction and more security.

The pricing is competitive. It's not the most expensive solution. It also brings some benefits in comparison to other options. 

I would give Veracode an eight out of ten. 

I do not have any specific advice for people considering using Veracode.

Our primary objective when using Veracode was to ensure the security of website development and other application developments we were working on. We aimed to prevent any security breaches and also closely monitor any potential vulnerabilities that could arise from code deployment. Fortunately, we were successful in identifying and addressing these vulnerabilities. 

Although the responses were somewhat mixed, we managed to go two years without a single security breach, which was a significant achievement. In addition to monitoring security breaches, we utilized Veracode for continuous monitoring. The difference lies in the fact that once the code is deployed and access to the server is initiated, there is a high possibility of connecting to a different server or encountering interference from unauthorized individuals. This continuous monitoring allows us to observe each step of the server, including the IP addresses and protocols, and ensure their proper functioning. Veracode facilitated us in carrying out this monitoring effectively.

Veracode's ability to prevent vulnerable code from entering production is remarkable. We were once alerted that there was a possibility of a breach occurring. Despite spending hours pondering the issue, we were unable to determine how that possibility existed. After discussing with the support team, we eventually learned the cause. Therefore, in terms of detecting vulnerabilities, it was excellent. However, the problem arose from the fact that it was not well-customized for our organization. Consequently, there were multiple instances where flags were raised for our IP address or email, which we knew were not vulnerabilities. In such cases, we had to address them accordingly.

Veracode's reporting feature provides comprehensive insights into the security status of our code or application. These reports generated by Veracode offer visibility into vulnerabilities and different severity levels of threats that may be present. They also recommend remediation steps to address these issues without extensive code modifications. I find this reporting feature valuable. Additionally, Veracode regularly releases updates, sometimes multiple times a day, ensuring that we are consistently up to date. Although this requires my engineers to work extensively on integrating AWS services with our platform, it is one of the standout features of Veracode due to the recommendations and frequent updates it provides.

Veracode's policy reporting for ensuring compliance with industry standards and regulations is on the mark. Everything was proceeding as it should, with adherence to the established procedures, protocols, and reporting mechanisms by both the organization and the support team. At no point did we feel that the industry standards were compromised.

Veracode provides visibility into the application's status at every phase of development. Primarily, we were only conducting two types of tests. One was continuous integration, which keeps track of the entire application's deployment process. It detects any defects and ensures a smooth deployment. The other test we used to perform at certain times was manual integration. We would delve deeper and test additional aspects because we wanted to ensure with utmost precision that there were no vulnerabilities when deploying the application. Hence, we also had to manually utilize this program before deploying or pushing it to the code.

When conducting the cost-benefit analysis for Veracode after six months, we discovered that there were actually only two significant security breach possibilities. With the assistance of the solution, we were able to detect and resolve these breaches. The most significant advantage provided by the solution was the assurance that no breaches were occurring outside of the office. Any potential risks were either determined to be false alarms or promptly addressed. Therefore, the only actual breaches we encountered during the six-month period were two. However, we also gained a sense of security, which I consider to be a worthwhile trade-off for the cost.

Speaking specifically about the security department of our company, there was a notable reduction in costs after the introduction of Veracode. However, when considering the broader scope of all the development departments, we not only had to invest more time in each project but also had to hire additional resources. Consequently, when taking into account all the departments collectively, the overall expenses increased. However, focusing solely on the security development department, there was a substantial decrease in costs, approximately $7,000 per month.

The recommendations and frequent updates are the most valuable features of Veracode.

The false positive rates were quite high in our case. Prior to seeking a solution, we had already engaged in discussions with their support team, who also confirmed this issue. We had read a few reviews, which indicated the presence of false positives. However, in our specific situation, the number of false positives was substantial. There were instances when we logged in during the morning and encountered 30 or 40 raised flags. Resolving them sometimes occupied a significant portion of our day, often extending into the first half. Thus, in certain projects we undertook, the occurrence of false positives was considerably elevated. Despite being aware of this, we acknowledged that a majority of these flags were likely false. Nonetheless, due to the matter of security, we had to address them, resulting in a significant allocation of our time.

The false positive rate of the static analysis has impacted the time we spend on fine-tuning policies. We have had to allocate a considerable portion of the software team's time to address the significant number of false positives, resulting in substantial time investment. Additionally, some of our projects with clients have been delayed due to this issue. One particular project experienced a delay of approximately 25 days, with false positive cases accounting for an estimated 60 to 75 percent of the delay. The cost of the false positive rate is causing a slight disruption in the development process. Therefore, I believe this is the major area that needs improvement.

We initially deployed on the AWS cloud because AWS also offers us additional security benefits and most of our other solutions were already on AWS. However, I think Veracode could develop a self-contained cloud system, allowing them to deploy the solution on their own system. This would be beneficial for us as they could provide the data privacy we require. It would be great because each new update on the security process necessitates a slight change in the program.

The reporting features could be subcategorized if the bugs are categorized and subcategorized according to our requirements rather than the understanding of the security system. This would be beneficial because whenever we need to integrate or resolve a bug, it is crucial for us to identify the vulnerable parts of our code. This process requires additional time and effort. Moreover, it is often challenging for us to comprehend the specific changes the system expects from us.

I have been using Veracode for two years.

The stability of Veracode, in my opinion, was not very reliable considering the need to consider false positive readings. We had to invest a significant amount of time rectifying or addressing those inaccurate queries, which made it a less-than-ideal solution.

I believe the solution is scalable. I remember a time when we were working with four clients in total. Even though our agreement with Veracode was not to exceed three projects, we were able to manage that, and everything went smoothly. They were even able to implement registration. This probably occurred due to significant delays in one of our projects. I was able to onboard the next client, which means we were working with four clients at that time.

The technical support team is knowledgeable. In the initial stages, when our team lacked the technical capability to perform manual configurations on our own, they assisted us with that. Overall, the experience was satisfactory. Nothing extraordinary, but it was good.

Positive

The initial setup was fairly straightforward, although it did take us some time. Our team lacked the necessary technical capabilities since it was a new endeavor. Before Veracode, our company didn't have any other security measures in place. Since it was a new concept, our employees also had a technical knowledge gap, which required some time for learning. However, the deployment process, on the whole, wasn't overly technical. It was done in two or three stages. The first stage involved initial queue meetings to understand the configurations we were using for deploying the code. The subsequent meetings focused on understanding the features we desired, how they would be implemented, and accessed, and their frequencies. Following that, the tech team took over and handled the deployment for us.

Six engineers were involved in the deployment, although the entire working team comprised twenty-two people.

The implementation was completed in-house.

It is quite challenging to calculate ROI. However, I can confidently state that over the course of two years, we did not experience a single security breach. Furthermore, we ensured that our solutions were free from any vulnerabilities when delivering them to our clients. As a result, we established a positive reputation with our clients, as evidenced by the certification from Veracode, confirming the absence of vulnerabilities in our overall feature or code deployment. In summary, we maintained a flawless record of zero security breaches. Despite the difficulty in conducting a cost-benefit analysis, it remains an essential task.

I believe the price is fair according to market standards. However, if we are anticipating a growth phase in the enterprise, it might be a bit costly for us. On the other hand, if we are currently making profits and aiming to stabilize ourselves while improving our solutions and working with our existing team, it suited us well during that period. We were focused on developing the final product, refining protocols, and enhancing overall product development processes for our brands. Therefore, I believe it was a good fit for us. However, organizations that are in a growth phase may want to consider other options, even if it means compromising slightly on the security aspect.

We previously evaluated other solutions. One of the primary reasons for choosing Veracode was the ability to configure it at a deeper level, which was not possible with the other solutions. Another advantage was that the other solutions did not offer a six-month trial period, unlike Veracode. We initially had a trial for six months, which was later extended to one and a half years. Therefore, pricing became the third factor. However, even at the end of the two-year subscription, we were unable to conduct a thorough cost-benefit analysis. This seems to be a common situation in the industry. Without experiencing a breach, it is difficult to assess the cost-effectiveness of a solution.

I give Veracode a nine out of ten. I believe that, in general, Veracode is a good product. False positives and these types of issues can be found in almost every security product out there. The best part was Veracode's technical team. They were proficient in their knowledge and there was never a moment of misunderstanding between our team and theirs. Overall, Veracode ensured that we did not encounter any ransomware or security breaches at any point in time.

Our DevSecOps team was involved in two stages of the entire process. The first stage was during the initial design phase of the specific application build. We had to determine when and where we wanted to manually interpret using the tool, as well as identify potential security breaches that required close monitoring. This was the initial step. Following that, our team proceeded with development, which typically progressed smoothly in collaboration with the client for a period of two to three weeks. As we approached the deployment phase, we would once again discuss with their team to determine specific points where DevSecOps would manually deploy the solution for testing purposes. Afterward, we would assess the solution from our end.

The false positive rate did not have a negative effect on the confidence of our development team. It was made very clear to us by Veracode's support team, as well as through other reviews and conversations with clients, that there would be a possibility of false positives being raised. We had to go through them because we cannot afford to miss out on any potential security breach.

I don't believe Veracode has helped us save time. Overall, if we consider the larger context, saving time was not a direct expectation communicated by Veracode. Their expectation was solely to prevent any security breaches. Regarding time-saving, I don't think Veracode has provided any assistance in that aspect.

At the end of the day, we were essentially thinking of transitioning to a new solution, primarily due to the high number of false positives we were receiving from Veracode, we conducted a cost-and-benefit analysis specifically for Veracode. We discovered that, overall, it prevented our solution from being breached for more than six clients. Considering our annual client turnover rate is approximately twelve to thirteen, Veracode played a significant role in addressing a substantial portion of our challenges.

I recommend negotiating with Veracode for a free trial period. We frequently engage in negotiations to secure a six-month trial. A trial will assist in comprehending the intricacies. While there are benefits, it is important to note that the time required for each project will naturally increase. It is crucial to understand how Veracode operates and determine if it aligns with the company's needs. However, regarding pricing, I am confident that Veracode delivers as requested.

Veracode functions solely within the development department, but within the department itself, we have a division based on the two types of clients we deal with. One type is primarily focused on development, while the other is focused on procuring or conducting quantitative analysis for the markets.

For general everyday maintenance, only two people are involved. However, for monthly maintenance, approximately six people from our end are involved, and I am unsure of the number of people from Veracode's end.

I would advise speaking with other clients like us who have already used Veracode. Prior to that, however, we need to understand what kind of security breaches are possible in our solution and determine how much of our money and time we want to allocate to addressing them. We should assess the importance of these breaches to us. Once we have this understanding, we can discuss with other clients how the overall process went and how much time it actually takes. The final step would be to directly contact their team and negotiate for a longer trial period. The best decision we made was to initiate a six-month trial with Veracode and then transition to full-time usage.

We use Veracode for static and dynamic application security testing (SAST and DAST) on our web applications to ensure there are no vulnerabilities.

So, my use case for Veracode is pretty much for DAST and SAST protection. I'm a pen tester and DevSecOps engineer. I evaluate the vulnerabilities and mark them as false positives if needed. I also manually exploit them. If we're unable to understand something, we raise a ticket to the Veracode team and get consultancy from them.   

So we are developing an application named Euro Car Parts, Car Parts 4 Less. It is an application which consists of multiple car parts and vehicle parts and everything. We are dependent on Veracode for that application, so it is quite helpful. 

As threats are increasing day by day. There are new vulnerabilities that come up these days, and applications get compromised. Veracode quite helps us with the latest security configurations, OWASP standards, and SAST standards. So it is really helping us and improving our security posture with each upgrade, each scan.

It's robustness is the main benefit to the organization. As it gets upgraded with time, it also improves the coverage – security configuration coverages and vulnerability coverages. It also updates itself with the latest known vulnerabilities that are uploaded to the NVD, OWASP, or other databases. So it gets upgraded itself with that. And so with each upgrade, it gets better and better.

The solution offers the ability to prevent vulnerable code from going into production.

It provides us with a report containing multiple remediations and mitigations for each vulnerability. For example, if it finds a cross-site scripting vulnerability, it will also include references like CWE and CVE records, instructions on how to fix it, and the specific line of code or module where the vulnerability is present. This helps us fix the issues accordingly.

I'm a penetration tester and DevSecOps engineer. I evaluate the findings, mark false positives, and manually exploit vulnerabilities if they exist. If we need further clarification, we raise a ticket with the Veracode team and get consultancy from them.

We are a software development team. If we find a vulnerability, I exploit it and come back with the best possible mitigation, and the dev team fixes it. If we use Veracode Fix, it might use third-party implementations or make changes we aren't aware of. We need to be very aware of what our application is using internally. It should be known to us.

As per my experience, the solution's policy reporting ensures compliance with industry standards. It comes with multiple features. I get the most out of it, and it's good.

The solution provides visibility into application status at every phase of development. Like static analysis, dynamic analysis, software composition, and manual penetration tests - throughout the SDLC

We have a pipeline that I maintain. I use the Veracode API account and have integrated it with AWS and our Jenkins pipeline. We use Snyk for SCA and Veracode for SAST scanning. 

At the earliest stage of the build, the SAST scan runs along with the JS and PHP files. It provides us with reports, which are then handed over to the other tools we depend on. If I validate the report or check the Veracode dashboard and find vulnerabilities, I mark them as false positives or existing issues.

We work on multiple projects, but the one I'm handling these days only uses Veracode for SAST. It's been about one and a half years since I've been working with Veracode and this project. It is quite impressive. 

There are some things Veracode cannot find, like code obfuscations inside the code and some insecure randoms. Sometimes, it misses those flaws. But overall, if I compare it with other tools, it is better. I will definitely recommend others to use this tool.

We run the scan before each deployment. If the dev team builds a new module or something, we scan it along with all the files. If we find anything, we get it fixed. That's how it works.

Veracode is quite important to the organization's shift-left security strategy because we make a scan for each deployment. Sometimes, if I think we need to perform a shift-left, I just make a scan before deployment and check for any misconfiguration or vulnerability in the code.

Before deployment, we upload our JavaScript and PHP files to Veracode for static analysis. It returns a report with multiple vulnerabilities or security misconfigurations. We then correct them to ensure they don't exist on our production server.

The key point of Veracode is that it's an all-in-one solution. It has all the logs, features, and reports in one place. Compared to other tools where you need to access different platforms and modules to check results and scan reports, Veracode provides everything in a centralized location. That's what I like about Veracode.

There is room for improvement in Veracode's plugin, its API plugin. I think that API or we need to install some Java .jar file for that. This is the main challenge I have faced because it gets very hectic while integrating it with our pipelines. But it is working fine now. It is not a very big deal, but this area should be improved.

I have been one and a half years, like, 15 to 16 months.

It is a stable solution. The stability is good, so I would rate it a nine out of ten.

It is a scalable product. I would rate it a nine out of ten.

Each time I raise a ticket regarding something, they are very quick about the responses and get connected instantly, like, right after one day. They reply very fast.

So, the customer service and support are good. Last month, I had a call with two consultants regarding some vulnerabilities. There were some issues where code was reported as a cross-site scripting, but that was from a library we were using. I tried to exploit them manually, but it didn't reflect any cross-site scripting issues. They came back with the solution real quick. They just wanted us to remove an attribute we had used inside. We got that removed, and it got fixed. It is working fine now. So, no issues. It is quite fast. I don't have any complaints.

Positive

Earlier, I used tools like Snyk, Fortify, and Checkmarx. Each tool has its own pros and cons. 

Veracode is a bit slow compared to Snyk and other tools in the market. 

But the best thing about Veracode is that you can get everything in one place. You don't need to switch between different domains, tabs, or profiles. 

Everything you want is on the same spot, on the same page. So, it is very easy to compare and check things out.

There's no different approach because every tool runs a scan, gets back to us with reports, and we validate them. We get the mitigation, check the responses, and check the actual line of code or security misconfiguration that needs fixing. The approach remains the same. I will try to exploit it manually, determine if it is a false positive or an existing issue. Then we give a green flag, and it moves ahead to deployment.

The deployment is complex. There are multiple things we need to check before getting our application to deploy.

So, the setup's complexity could be improved or simplified, in my opinion.

The scan doesn't take that much time to complete. You just need to sync it with your application and the scan. You just need to make the configuration and use the API into AWS or Jenkins pipeline. So, it will take five to six hours to integrate, not more than that. But with the tests, to make sure that it is working fine with the deployment and all, it takes one day.

The solution doesn't require any maintenance; at least I didn't face anything. I just wait for the upgrade. It gets upgraded with the latest known vulnerabilities, and it gets better and improved. 

There are three teams on board: the dev team, another dev team, and the QA team. It consists of about eighteen people.

It saves us around 30% of the time.  It is worth the investment because security must be the first step when developing an application. You use someone's data, especially if you work with e-commerce, banking, health, or welfare applications. You need to be very aware and secure about it. 

Each user's data must be protected, and their privacy should not be compromised. So, it is very important to maintain the security configurations and ensure there are no vulnerabilities. I believe it is worth the investment.

It works quite well as per market standards. The other tools also charge the same, whether it's SAST or other security tools. They are quite similar.

I would recommend others to use it because it is very robust and has everything in one place. You don't need to move to any different apps or domains, or different platforms to get things done. You will get the mitigation, you will get the vulnerabilities, you will get everything at one place on the dashboard. So I will definitely recommend it. 

It is not as fast as Snyk, but it is scalable, and it has more coverage, I think, compared to Snyk because it gets back to us with vulnerabilities that Snyk cannot find. So, I will recommend it to my friends. 

Overall, I would rate it an eight out of ten. 

We use the Veracode SAST solution to scan the Java, Node.js, and Python microservices as part of our CI/CD pipeline, wherein we are using our CI/CD server as Bamboo, Jenkins, and GitLab CI/CD. 

We have teams for both our cloud pipeline and on-prem pipeline, and both teams use this solution. We are using Veracode to constantly run the internal application source code and ensure the code's security hygiene.

Before, the pentesting was happening at later part of the SDLC. Now, we have been getting early feedback about insights from Veracode, including traction around the application security aspects. Developers keep coming to us and asking the questions. Vericode has built a bridge between the development and security teams, which is something really helpful in an organization.

Veracode has helped us build security training in our clients' organizations.

The solution’s policy reporting for ensuring compliance with industry standards and regulations is very helpful. We use Veracode to scan for vulnerabilities. This help us comply with regulatory standards for the European region. While the policy scanning takes time, it is very good from a compliance point of view.

There are quite a few features that are very reliable, like the newly launched Veracode Pipelines Scan, which is pretty awesome. It supports the synchronous pipeline pretty well. We been using it out of the Jira plugin, and that is fantastic. 

We are using the Veracode APIs to build the Splunk dashboards, which is something very nice, as we are able to showcase the application security hygiene to our stakeholders and leadership. 

We have been using Veracode Greenlight for the IDE scanning. 

Veracode has good documentation, integrations, and tools, so it has been a very good solution. 

Veracode is pretty good about providing recommendations, remedies, and guidelines on issues that are occurring.

It is an excellent solution. It finds a good number of the securities used, providing good coverage across the languages that we require at our client site.

We have been using the solution’s Static Analysis Pipeline Scan, which is excellent. When we started, it took more time because we were doing asynchronous scans. However, in the last six months, Veracode has come with the Pipeline Scan, which supports synchronous scans. It has been helping us out a lot. Now, we don't worry when the pentesting report comes in. By using Veracode, the code is secure, and there are no issues that will stop the release later on in the SDLC. 

The speed of the Pipeline Scan is very nice. It takes less than 10 minutes. This is very good, because our policy scans used to take hours.

Veracode is good in terms of giving feedback.

We would like to see fewer false positives. 

Sometimes, I get feedback from a developer saying, "They are scanning a Python code, but getting feedback around Java code." While the remediation and guidelines are there, improvement is still required, e.g., you won't get the exact guidelines, but you can get some sort of a high-level insights.

Veracode has a little bit of noise. Sometimes you will get a lot of issues, which you just need to triage. While the solution is excellent, it does come with a little bit of noise.

We have been using the solution for a year and a half.

The stability is good, except every month it needs maintenance. So far, we haven't had an outage during UK working hours, e.g., where we are unable access the platform. There were some issues out-of-the-box, but now it's pretty much fine.

More than 100 people are using the Veracode solution in our organization. Mostly, the guys who use Veracode are developers, QA engineers, product owners, Scrum Masters, and some data scientists.

We have a three-person team of security guys who maintain the entire service. The security guys have automation skills and can write the code. We are one squad in a company out of 21 squads. We are a security who helps other development teams with Veracode as part of their DevSecOps.

We have adapted Veracode across three line of our client's business. In the future, we may expand Veracode into more lines of business. 

The technical support sometimes takes 48 hours to get back to us. Some of the support staff are not that great. There is no extra support on Slack channel nor is there a chat. Instead, we just have to wait for an email. They gave us a mobile number, which sometimes doesn't work. Then, if it does, it takes time. The technical support is something that needs to be improved.

Veracode's application security team is very helpful. If we are not getting the answers that we need, this team will come and assist us. For example, we had a call with their application security team who helped us determine best practices. They are good and very professional. 

Their account team is helpful and knowledgeable.

We use the solution’s support for cloud-native applications, like AWS Lambda. We have a cloud pipeline, where some of our microservices functions are getting developed there. Less than five of our squad use this service.

Because of my consulting background, I have used other solutions prior to the use of Veracode. However, Veracode was the first solution implemented of its type. Before Veracode, developers didn't know how they could develop secure software. After Veracode was implemented, developers knew when they wrote code that they could scan it in their IDEs. Also, while pushing a deployment, they can get feedback from the Pipeline Scan.

The initial setup is straightforward. It took us three months to deploy the entire solution across all the squad at our site via Pipeline Scan as well as have the squads adopt it. If you are familiar with security, you can be up and running with the solution in a week's time.

Our implementation strategy was to give the Greenlight ID plugin to all the developers and enable the microservices. Then, we wanted to let the non-human account use the new unlimited account and all the source code. This has helped us in last year and a half, as we have over 150 microservices being scanned by the Veracode platform.

Customer support was amazing during the evaluation phase.

The ROI seems good so far. The client is happy with what they invested in Veracode. Having our developers now think about security is also helping us out.

The solution has reduced the cost of AppSec a little bit for our organization through the automation of pentesting.

We have seen a 30 percent reduction in pentesting. Using Veracode, we can do faster releases.

Veracode's price is high. I would like them to better optimize their pricing. 

Veracode's price is a little higher than other tools. However, they are the market leader.

Micro Focus Fortify doesn't have good APIs. Instead, they are relying on CLI. Whereas, Veracode is more API and DevSecOps friendly. Veracode's scanning time is better than Fortify's. 

It is an excellent solution. I would recommend adopting it. If you come from a security background, Veracode is an easy solution. If you don't come from a security background, the adoption of Veracode will take a bit of time.

Veracode has been integrated with our IDEs. It has been also integrated with our DevOps CI/CD server, which is Bamboo, Jenkins, or GitLab CI/CD. It is all pretty neat and clean. 

I would rate this solution as a nine out of 10.

We use Veracode mainly for identifying any vulnerabilities in the software. We do a lot of development, and before we deploy any product to our client environment, we want to make sure there are no vulnerabilities in the code and also follow best practices. 

We run scans to identify the criticality of these bugs and vulnerabilities, and we try to mitigate them. If it's not possible, we get an exception. At least we are aware of the vulnerabilities in our code, making sure our code is secure and not exposed to any threats like hacking.

In my organization, we have a policy in place. Every company has a different policy; at least our company has specific requirements where we expect everyone to build the tool or the software to some extent, following some best practices. 

Veracode helps us embed those policies into the scan. When we run the scan, the administrators have already set the policy, defining what needs to be checked and what can be ignored. It helps us when we run the scan because it provides a score based on the policy level. This score certifies how well the tool has scanned the code. 

We can then show this certification to demonstrate that the product meets the required standards and can be trusted without any issues. So, we are working with the solutions policy reporting to ensure compliance with the industry standard.

For our product, we use static analysis. We're not using any agent-based solutions, but we are planning to hook it into the CI/CD pipeline in the future.

Veracode has been helpful because, in the past, we used to integrate Veracode scanning into our CI/CD pipeline. Sometimes, what happens is a junior developer sees a third-party library and thinks, "Oh, this tool is helpful," and they bring it into our system to build something.

However, even if it's a third-party tool, we don't know what vulnerabilities that code may have. At least now, whenever we push code, Veracode can catch any vulnerabilities, and if it fails our build, it prevents us from deploying that code into our environment. It clearly states, "This code has a vulnerability; I can't deploy it." So, it effectively blocks us from deploying risky or vulnerable code in our tool. It helps us quickly assess the risk of third-party tools and take action promptly instead of building something and realizing two months later that we need to go back and fix it. That's not going to happen; we can identify and resolve issues within a day.

The tool is great in terms of ensuring our code is clean, recommending best practices, and capturing the flaws in third-party components.

Veracode has an impact on our organization's overall security posture. Because when we do development for internal purposes, we don't run a Veracode scan very often. But when we work in a client environment, if they want us to build something for them, we absolutely need to ensure that we haven't introduced any flaws or problematic code into their system.

Veracode helps us maintain the reputation and branding of our company, which is crucial for us. It's important to ensure the code is free from vulnerabilities and not exposed to hacks. It is very important to us.

The most valuable feature is Veracode SDP, which allows for something related to third-party vulnerabilities. When we build a product, we use a lot of third-party libraries instead of building everything from scratch. We just use a library which has already been built; we just use that component in our product. Sometimes, these libraries may have bugs or issues, and it's hard to keep track of them because we use thousands of them.

Veracode's tool scans every single library and gives a dashboard showing the number of libraries, high and low criticality issues, and whether a product has any issues. It helps us assess the libraries and decide whether to resolve the issues or replace the library to minimize risks.

I like the solution's ability to prevent vulnerable code from going into production. It does a pretty good job in most cases, but I have seen a few false positives in the code scan. It means that sometimes, like recently, we run a scan where we encounter a part of JavaScript code where it's just a string evaluation. Despite not posing any real threat, the system flagged it as a potential vulnerability, suggesting it could be exploited to hack into the system. We looked into that code and found it wasn't the case; it was a false positive. It wasn't a big issue because we reported it to Veracode, and they made an exception and resolved it. It does a pretty good job, but sometimes it can be very misleading.

However, the solution's false positive is not a big deal because it's very minimal. Veracode does a very good job, but 99% of the time, it works well. Only, like, 1% - 2%. Like, sometimes we manage false positives. It's not a big blocker as well. Every software is not perfect. Also, these are very minimal fixes. Sometimes, if we raise a support ticket to mitigate this issue, the response is also pretty good, and it can be resolved within one or two days. So it's not that big of a deal.

One area for improvement is the navigation in the UI. For junior developers or newcomers to the team, it can be confusing. The UI doesn't clearly bundle together certain elements associated with a scan. While running a scan, there are various aspects linked to it, but in the UI, they appear separate. It would be beneficial if they could redesign the UI to make it more intuitive for users.

In future releases, I would like to see some features. For example, there's a library we use as a third-party library. Sometimes, Veracode indicates that we can't use a particular tool because it has a lot of vulnerabilities in the code. It would be nice if Veracode's scan could show an alternative library to use instead of the one flagged as problematic

So instead of us having to go back and research, trying to figure out what other tool we can use as an alternative, if Veracode could provide those recommendations within the tool itself, it would be nice.

I've used the product for almost three to four years, but it's been a while since I haven't used the tool. But I started using this solution again. I started working on it again in the past month.

Veracode is 100% stable. We haven't encountered any issues.

It is a scalable solution. Veracode has a concept called Sandboxes, which is an amazing feature and pretty useful. I can kick off multiple scans, and they all run independently. There's no interference between scans. So, it's highly scalable, and we haven't had any issues with it. It is good.

For our team, we currently use it for two projects.

I've personally interacted with the customer service and support recently for a few issues, and their support is amazing.

Positive

The initial setup is very easy. It's not that complicated.

Moreover, the false positive rate of static analysis can affect the time spent on tuning policies. It took at least one day for me to raise that mitigation and approval ticket to look into it. Veracode needed to spend, like, six to eight hours, which essentially goes up to a day to resolve it.

The solution has 100% helped our developers save time. 100% right now in terms of ensuring the code is good and deploying it safely. Veracode definitely helps us be very confident when we go for product releases. It has helped our developers save time.

As a lead developer, it takes me one or two days to set up everything in Veracode scan. Once it's set up, the junior developers don't need to do a single thing. They just push their code, and they don't even realize that a scan is running in the background. So they don't need to worry about it. However, in terms of readiness for the production release, Veracode definitely helps us be confident and quickly identify the risks. There's a huge benefit in that area.

In the beginning, two or three years back, we were pretty new to Veracode, and we did seek help from the Veracode consulting team. Their support is amazing. If I send an email for any help, they respond within 30 minutes. Their response time is good, and they provide clear guidance.

I've personally interacted with them recently for a few issues, and their support is amazing.

So, initially, we did take consultation when we set it up, but once we became comfortable and familiar with the process and the documentation was also clear, we started managing it ourselves.

For the implementation process, a developer pushes changes to the master branch or a feature branch the first step is to trigger the Veracode scan in the CI/CD pipeline. We use Azure DevOps for this.

The next step is to include the code in the Veracode scan. This is the second step. Before going into further steps like building the Docker image and containerizing the application for deployment, we have a condition in place. If the Veracode scan doesn't complete successfully, we don't proceed to the next step, and the entire build fails.

We don't need a lot of members for the deployment part. It's only me and my technical expertise, like, one or two people. Any DevOps is enough.

We don't see much need for maintenance. It's pretty easy to manage. Veracode is also maintained by a dedicated team internally, and they provide support for everyone within the organization. So, if there are any upgrades or maintenance required, they take care of it. But from our team's perspective, there's no need for ongoing maintenance. We set it up once, and that's it.

The solution reduced the cost of the development setups for your organization. It is a key feature of Veracode. Once you set it up for the first time and integrate your CI/CD pipeline with our DevOps cycle and the Veracode scan, it takes two or three days to set it up initially. 

But after that, it's a one-time effort. You don't need to do anything further. You need to kick off the pipeline, and it runs the scans automatically, providing artifacts for you to review in the report. So it helps in the long run. Once you have your project set up correctly, there's no need for manual intervention at all once it's hooked up. It's a significant long-term benefit.

We have a dedicated team that handles research, but I personally have only used Veracode for scanning. Our team used to use SonarQube.

Our company used to run both Veracode and SonarQube scans for certain projects. Sometimes, some of the scans were not included in Veracode, so the team used SonarQube for those. However, this was quite a while ago, about two years back.

I would suggest starting Veracode scans at the earliest stage of development. It's crucial to catch vulnerabilities and risks early on so you don't invest too much time building something only to realize later that it can't be used due to a lot of issues, especially with third-party components. Using these tools as early as possible will benefit you in the long run and allow you to ship your product more quickly.

Overall, I would rate the solution a nine out of ten.

As a full-stack developer, I am also involved with DebOps tasks. When deploying to different environments, we have stages that must be passed as part of DevOps. One of the primary stages that must be passed while deploying to Jenkins is Veracode Analysis. We also have SonarQube analysis, which typically checks code quality, code coverage, and other aspects, such as whether there are any bots or vulnerabilities. Once the code quality test is passed, it enters Veracode analysis. During Veracode analysis, the code is checked for vulnerabilities. Veracode also checks to see if any outdated jobs are being used in the code and suggests better versions to use. All of this information is clearly displayed in the Veracode analysis results. Veracode is linked to JFrog Artifactory, which is a repository of all the jobs available on the market. Veracode uses this information to choose which jobs to use and which jobs to fix. Veracode also explains the possible errors in the code.

We do not receive many threats. The threats are very minimal. Therefore, I have never been in a situation where Veracode had to save me from vulnerable code entering production. However, it is still helpful for us and our managers to access our code to see what is happening and what can be improved using Veracode.

Veracode is constantly being updated and improved. I started using it in October 2022, and at first, we didn't receive much training on it. As a result, we struggled to understand its features at first. However, after some interface changes, I found it easier to catch up. After six months or so, we were able to easily identify and understand what was happening. We use SBOM, and I believe that Veracode is improving significantly in its ability to assess specific vulnerabilities. For example, they are now trying to identify SQL-related injections as well. This is something that I appreciate.

The policy reporting ensures compliance with industry standards and regulations. It also provides a detailed report with multiple options. We can easily generate a report of four to ten pages, or even a one-page report. I really like the way Veracode generates reports on assessments. It's my favorite feature.

It provides visibility into application status at every phase of development, but we must manually scan applications to check the assessment for a specific application or after deploying it to a particular environment. I think they can change this so it automatically scans for us.

The false positive rate is low.

Veracode has improved our organization's ability to fix flaws, and fixing vulnerabilities has sometimes required us to develop new features. This has actually helped us and made our applications better.

It has helped our developers save a lot of time. Jobs are constantly changing and upgrading, Veracode allows us to easily assess the security of our jobs in 10-15 minutes, instead of 40-60 minutes.

Veracode helps us improve our security posture. Once we identify and fix the vulnerabilities Veracode finds, we no longer face any threats.

The feature I like most in Veracode is that it clearly specifies the line in the entire file where a vulnerability is found. For example, if there is a vulnerability on line 32 of the demo.java file, Veracode will clearly state that and also tell me the severity of the threat, such as moderate, high, or very high.

The interface is basic and has room for improvement.

The main problem I have faced with Veracode is that it does not integrate well with JFrog Artifactory, the repository where all our jobs are stored. This means that sometimes jobs are not reflected in the Veracode report, which is a major drawback.

We have a Maven repository provided by Maven itself, which is widely used by all developers. It is the heart of these jobs, and every detail is available in the jobs. So when Veracode says that a specific job is not vulnerable, but the Maven repository says that it is, I don't think Veracode is updated daily. This is a problem because if I fix the job, taking two to three hours to do so, and then Veracode is updated two weeks later and linked to the Maven repository again, Veracode may show that the job is no longer vulnerable. This is a threat, as it wastes a lot of time for developers. As developers, we usually have deadlines to meet for moving to particular environments, such as UAT or production. Veracode is wasting our efforts by not being updated daily.

I have been using Veracode for one year.

The stability can be improved. There are times when we don't see our applications and have to ask a Veracode support person to add them.

Veracode is scalable, and we have not had any issues with the Microsoft and Solar components that we use. It has always worked seamlessly, and we have the ability to scale up to 15 components on our end.

We only had to use the technical support once and it was fine.

Neutral

I would rate Veracode eight out of ten.

There is minimal maintenance required from developers. The infrastructure team will take care of it. So, let's say there is one application, four microservice components, and six flow components. In that case, two members can easily maintain the Veracode platform.

I am one of five member developers from India who are using Veracode. We also have locations in Spain, Mexico, and London.

I recommend Veracode for organizations that are not in the cloud and still working on-premises.