Veracode Reviews

Our primary use cases are for comprehensive security assessment using static analysis, dynamic analysis, source code composition, and manual penetration tests. We also use it for security training for developers.                         

Veracode is a valuable tool in our secure SDLC process.                                                        

Source code composition analysis for vulnerabilities and license compliance is the most valuable feature.                                                                                                 

It needs better controls to include/exclude specific sections when creating a report that can be shared externally with customers and prospects.  

I have been using Veracode for one year.

We also evaluated Synopsys.

We primarily use the solution for article scanning.

The article scanning is excellent. 

The composition analysis and common CBEs attached to it are quite good.

The solution offers a lot of really great analysis. There's lots of good data support.

The licensing model could be improved. 

If they can provide an automatic upload model, that would be really good. Right now we have to upload the NK bucket hosting to get through the analysis. That is kind of cumbersome.

The documentation is poor and the technical support isn't helpful.

We've been using the solution for three or four years.

We don't plan on increasing usage. We are a product company. We have three products that are built. All of them go through this solution. We are not a services company. 

We have about 80 people on the solution currently. They are all developers.

We did previously reach out to technical support. When we had to set up all of the automation, we contacted them for assistance. Their documentation is awful and their response time wasn't ideal.

The initial setup was not complex. It was pretty straightforward. However, the integration and automation of the CI cloud was a nightmare. 

Deployment varies. sometimes it takes three months. Sometimes it only takes one hour. The average is one hour, but we have experienced much, much longer deployment times.

I have no idea what the licensing costs on the solution are. Our IT team handles the details.

We were part of the initiation when the company started. They introduced it and we began using the solution. We're just a customer.

For those companies hoping to automate the solution, I would not recommend it. It's too difficult for those heavily dependant on automation. However, for those companies who want to manually use it, I can recommend the solution. In those cases, it's easy to use even if you won't build it as a part of your automation test tools or on any internet server.

I'd rate them eight out of ten. I'd rate them higher, but they have bad automation and terrible documentation. Other than that, they are very good.

I am a consultant and SourceClear is one of the solutions that I use to provide services.

This solution is used by people who want to verify the security of their own applications.

The most valuable feature is the efficiency of the tool in finding vulnerabilities.

A high number of false positives are reported and this should be reduced.

I have been using SourceClear for about a year and a half.

This is a stable solution.

We have no complaints about scalability. We have between 200 and 300 clients.

We have not been in touch with Veracode's technical support.

We have also used Checkmarx, where you can train the tool for false positives and ultimately reduce them.

The initial setup is a little bit complex.

It would be better to have some assistance when implementing this solution.

Overall, SourceClear is working fine for us and our main complaint is in regard to the high number of false positives. Nonetheless, I would recommend Checkmarx over SourceClear.

I would rate this solution a six out of ten.

We used it for performing security checks. We have many Java applications and Android applications. Essentially it was used for checking the security validations for compliance purposes.

Technically there is nothing wrong with Veracode. The only issue that we have here is uploading the code, the process of actually uploading and getting our results back. All of that is a little cumbersome. 

Technically there is nothing wrong with Veracode. The only issue that we have is uploading the code, the process of actually uploading and getting our results back. All of that is a little cumbersome. 

One of the things that we have from a reporting point of view, is that we would love to see a graphical report. If you look through a report for something that has come back from Veracode, it takes a whole lot of time to just go through all the pages of the code to figure out exactly what it says. We know certain areas don’t have the greatest security features but those are usually minor and we don’t want to see those types of notifications. So we would like to see a kind of a graphical representation of the problem areas. I would like to know which file is the biggest source of issues for me so that I can focus on resolving the issue, as a project manager. With how it is now, I am able to do this but I have to take out the whole PDF file and extract it. It takes up a lot of my time. I would like to see better strategic reporting. It would be great to get better graphical reporting.

Stability is very good and there were no issues. I will give it five stars.

It's very good; really very good. I would strongly recommend that. Technically I would be expecting a double concept for Veracode. I would still say this is one of the best products ever on that website. I don't have any issues with the scalability. 

I had no technical issues at all.

The initial setup can be a little complex for people or for organizations that don't have technical skills. Another small thing is that you need to have one person who's fluent and technically knowledgeable to help during the upload process. But otherwise, it's pretty much straightforward. It's not an issue, it's perfect.

I would strongly recommend doing an internal analysis first, before setting it across to Veracode to proceed and to use it more as a final verification point. My point is that Veracode is very good, and I would strongly recommend it. I have seen other solutions on the market and that's why I say: don't waste your time on other products, just get Veracode.

I would rate it an eight out of ten. Not a ten because of the reporting issues I mentioned that I would like to see improved.

I have used this solution in multiple projects for vulnerability testing and finding security leaks within the code.

We were embracing Veracode as a process in our DevSecOps, although I have not personally used this solution for the past eight months.

This is not a very elaborate application. I think that the suggestions are between thirty-five and eighty percent accurate, with most cases being about seventy-five percent. Some of them are references where you have to go and determine whether they are direct threats, or not.

At the point in time when we were using this solution, we had older coders and the way Veracode tests for vulnerabilities may have been affected by the code style. I found that there were far too many warnings and some false positives. Of course, this comes with every product, and there are multiple tools that are used.

Ideally, I would like better reporting that gives me a more concise and accurate description of what my pain points are, and how to get to them.

In the context of a dev or UIT environment, I'll say that it is fairly stable. However, I would not be able to give ratings for stability in a production environment because I have no experience with it.

Technical support was good and I was very happy with them.

We did not have that many issues to start with. They conducted training, and there was an architect that was working directly with me to answer everything. He was fairly knowledgeable. In the beginning, when we wanted to understand the product, he gave us great pointers. He provided very nice documentation that we followed and we were able to establish with the infrastructure team.

I have used multiple tools similar to Veracode that integrate with the IDE.

The initial setup was straightforward. What I recall is that it was not really difficult and we had optimal support. They also provided us with documentation to help set up integration with tools such as Jenkins.

When it comes to DevSecOps, in the industry it is still under adoption. With the advent of the cloud and code being there, or on other public platforms, many people have embraced it or are in the process doing so. 

My advice for anybody interested in implementing this solution is to be really careful when choosing your tools. Be very proactive and up-front on the requirements of your systems, because no tool is perfect. You need to find the best fit for each particular use case. I would do a thorough analysis.

As a solution architect, I do small POCs and run initiatives on products to find out various aspects. For example, the technical feasibility of the product is an important aspect. Other important ones are usability, testing, and implementation. Normally, I select at least three products and do a comparative analysis based on the POC. After this, I recommend a particular solution.

I would recommend Veracode. There are plusses and minuses to this solution, but given the chance to use it again I would definitely do so. Every product has its own flaws, but for my use case, it did fit very well.

I would rate this solution an eight and a half out of ten.

Our primary use case for this solution is application security.

The most valuable feature comes from the fact that it is cloud-based, and I can scale up without having to worry about any other infrastructure needs.

This solution does a good job, but it is limited to only a few technologies. I would like to see expanded coverage for supporting more platforms, frameworks, and languages.

Specifically, I would like to see support for mobile frameworks like Xaramin and React JS, as well as extended support for iOS applications.

This solution is quite scalable.

We have approximately fifty users, but we definitely have plans to add more.

I have used their technical support and they are quite good.

We did not use another solution prior to this one.

The initial setup of this solution is straightforward.

This solution is on the pricey side. They have just streamlined the licensing and they have a number of flexible options available, so overall it is quite good, albeit pricey.

We evaluated other options, but we chose Veracode.

My advice for anybody who is interested in implementing this solution is to ensure that your technology is actually supported because the coverage is quite patchy. It is possible that if you use a framework or a language that Veracode does not support then it will give quite poor results.

I would rate this solution a six out of ten.

Our primary use case of this solution is for static and dynamic analysis along with the source gear for the third party dependency (not IDM). 

We were looking into actually moving towards IDM, but that's the extent of my knowledge. They are licensed as two separate products. They're part of the same platform, but they are licensed separately.

We have Veracode, Veracode Developer Training, Veracode Software Composition Analysis, and SourceClear. SourceClear and SCA are pretty much the same. They just support different languages. Veracode as a whole, the top option, is the one that includes everything.

We are using the Veracode tools to expose the engineers to the security vulnerabilities that were introduced with the new features, i.e. a lot faster or sooner in the development life cycle. We rely on this set of tools to automatically scan our artifacts when they are moving to different environments. 

We got it to the point that when we were promoting the artifacts from desktop to the server environment, we already had the scans completed. We knew the vulnerabilities that we were introducing with the new features ahead of time, i.e. before the QA department was finding them. That was the main reason we decided to use Veracode or to use tools for static analysis and dynamic analysis.

With Veracode, it's not about features for us. It is about the pricing model that they offer. To be honest, with their vulnerability database, the total amount of false positives that we're getting is very low. 

That's the main reason we use Veracode over anybody else. New Veracode features could include a very big database of actual vulnerabilities to be better than other products.

Veracode owns SourceClear. They bought them in 2017 or 2018, and they still are not fully integrated with the actual Veracode dashboards. Right now, you have to use two separate tools from the same company. One for the static analysis and dynamic analysis, then the second one for the third-party dependency. 

That is an area that they need to improve the service. Veracode needs to bring the second tool in already to the dashboard so that we don't have to use two separate logins. We don't want two different sets of jobs that we have to upload into two different places, etc. Veracode also needs better integration of their tools to each other.

Veracode should make it easier to navigate between the solutions that they offer, i.e. between dynamic, static, and the source code analysis. The SCA feature is on the website. Veracode should integrate SourceClear with the company product line finally after two years. I would love to see that. 

Veracode did not previously support Python 3. They just released the support for Python 3. Keeping updates coming quicker would be the main thing that I would love to see, i.e. to have all these solutions better integrated.

We have been using Veracode as a solution for almost two years.

It's a very stable solution.

Scalability is the main issue with Veracode. For my company, the outlier is out there, but when it comes to scalability, we had issues with automatically scanning springboard artifacts. If you scan the artifacts, they want the artifacts to be packaged in a specific way. This is very well documented on the website but it's not the way we're doing business. 

The workaround was taking the build that was getting put together by Jenkins and moved through the environment. We had to make a separate one, packaged differently just for the tools to work. For the scans to work, if that makes sense. Maybe we are just weird in the way we package our artifacts but maybe many are having the same issue.

We have about 200 engineers that have user roles in the solution. There are different roles. We have security administrators. We have team leads. We have managers. Their roles are all very well put together. Each team has a manager that has access to more features than the rest of his team. They can create things, delete things, compared to the regular guys that can only see the reports. It's very well structured, from that standpoint.

Theoretically, everything is integrated with Jenkins, so the staff depends from one application to another, i.e. three people or eight people from our side. From their end, in our pricing model, we have access directly to an account manager. They have a team of engineers that usually help us if we encounter any issues. It's very extensive in use. We have about 80 services and applications going through using the scanning solutions that Veracode has and we are scaling up.

The solution's technical support is absolutely fantastic and very fast. Veracode has very fast resolution and response times. Usually, when we have an issue, it's only a few hours before we get an answer from them.

Another time, the Veracode integration wasn't working and in about 3 days we came up with a solution to our problem. At the high level, the beginning of the conversation with Veracode tech support is pretty fast. It's only a few hours. 

Coming up with a solution takes two to three days at the most with Veracode. We pay a lot of money for that. You get what you pay for.

We never did use other products. The reason we started looking into IBM and WhiteSource was because of the hiccups or the speed bumps we were encountering with our springboard artifacts. We were in the process of evaluating other products and I think it's still a valid option. I wouldn't advertise it, but we were in the process of changing from Veracode just because of that one particular issue.

We had to build our artifacts differently than before just to scan them, i.e. instead of scanning the ones we were publishing. It's not a big deal overall, but it would be nice for the solution to work out of the box with everything that's out there. Instead, many companies are changing the way they're doing business just for this small little step in the delivery process.

I was not involved with the initial setup. When we were uploading new applications to their solutions it was very straightforward. Their documentation is really good and very detailed.

In the worst case scenario, if the implementation engineer just runs through the material, you can go on the website for resources. The way they have everything documented is very good. Veracode is very well documented.

I do not have any information on ROI. We became better from an engineering standpoint, but I don't know if we saved a ton of money in the process.

They just changed their pricing model two weeks ago. They went from a per-app license to a per-megabyte license. I know that the dynamic scan was $500 per app. Static analysis was about $4500 yearly. The license is only for the number of users, it doesn't matter what data you put in there. That was the old model. I do not know how the new model works. 

We are in negotiations with Veracode. The old model was about $500 for dynamic analysis and about $4500 for the static analysis, per app or service, per year.

Veracode offers a lot of other license options that you can put on top of what we just discussed, but I don't think we ever looked into any of those. The way we implemented it was very straightforward. You have your app and you pay this much for both dynamic and static licensing. That's all we cared about per year. 

We looked at IBM before we decided to go with Veracode. I've seen the documentation that our director of information security put together. 

We looked at six different solutions before we went with Veracode. Another company does their pricing model based on lines of code. WhiteSource was one other option we evaluated.

We did review a few of them. IBM App Scan and WhiteSource were definitely on the list. I don't remember the rest of them.

If the springboard issue doesn't hold them back and the pricing model stays the same as the one that we have right now for this year with them, it's a good deal. Veracode is pretty straightforward to use and the support is really good. We don't have a lot of complaints about that. 

I don't know how the pricing model is going to change the actual price of the application. On a per license basis, Veracode has a very lucrative way of doing business. I don't think a big company that has a lot of services and applications would enjoy paying upwards of $200,000 per year to scan all their code. 

Prospective customers should look at how the pricing model affects them, especially if they are in the microservice type of architecture or if they are moving towards something like that.

I would rate Veracode an eight out of ten just based on the experience that we had the past two years. The reason it's not ten is because of the ways these tools integrate. 

That rating is at risk of becoming a seven now with the pricing model changing. Veracode is probably not going to be that attractive anymore compared to other competitors. We knew other competitors were more expensive. The reason that we didn't go with them was that Veracode was very straightforward.

We use Veracode to scan custom-developed code for flaws.

• The volume of unmitigated flaws in our applications has been substantially reduced.
• In terms of AppSec best practices, the team at Veracode has provided industry benchmarks against which we are measuring our improvement.
• Our customers have benefited from the added security assurance of our applications, although they may not know it.

The identification of flaws.

We would like to see improvement in reporting, in particular, end dates on mitigations.

The solution is very stable.

It has handled all the expansion we have required from it.

Technical support is highly competent.

It was already implemented when I joined the organization. However, we have expanded greatly.

We are about to enter discussions for renewal. I have heard there may be some changes to pricing. I will reserve judgment until the discussions are complete.

I would recommend it. It covers all our custom-developed applications and will expand as new applications and services are added.

We have 50-plus users of Veracode. Their roles include InfoSec, developers, development managers, QA, and configuration management. In terms of deployment and maintenance, we have four people in configuration management and InfoSec.