Veracode Reviews

• Scanning web-facing applications for potential security weaknesses.
• Helping to document the introduction of technical debt in our code bases.

• It gives feedback to developers on the effectiveness of their secure coding practices.  
• It has almost completely eliminated the presence of SQLi vulnerabilities.

• Multiple languages and framework support: We can use one tool for our SAST needs.
• Developers report liking the IDE integration provided by this tool.

• More timely support for newer languages and framework versions.  
• Integration with Slack is another request from our developers.
  

I use Veracode to run scans on .NET applications, web applications and Windows/fat form applications. I also use it to make deployments in three-tier environments: the application server tier, web server tier and the database tier.

• Veracode has improved our penetration testing process. 

• We use Veracode static analysis during development to eliminate vulnerability issues.

• I have found the user interface extremely helpful in prioritizing issues.

• It allows me to prioritize the work to help resolve an issue.

They should improve on the static scanning time.

We are planning on introducing a static code analysis tool to support a DevOps effort in our environment. The objective of the solution is to allow the team to identify vulnerabilities in the source code and improve the hygiene of the developed code before deployment.

This is currently still under evaluation, and it is pending review and assessment against other static code analysis solutions.

The solution provides the capability for the application teams to track remediation and the handling of identified vulnerabilities. The system provides workflow capabilities for the application teams to send the completed scans to the security teams for their review. In addition, the security team can track the remediation and risk acceptance statistics.

The solution currently does not support Dynamic Application Security Testing which is an important facet of application security testing. In addition, the current version of the application does not support testing for API.

Application security scanning.

It has helped us identify all the applications flaws, especially with so many open source licenses available to the developers. With this product, it allows you to plug in all those gaps where you may open up the backdoors. This tool has helped us everyday with our goal to plug in all those gaps.

We help make changes from the initial NAS that we sign up with the vendors and any third party who might be involved in our telephone activities. They have to ensure that phone is a standby application and security tool, plus we also make the changes in the workflow for any application. Before it is deployed into operations, it has to have a security certificate which proves that it has a Veracode application security certification on it and all the flaws that have been identified have been removed.

It has several components in that help you identify abilities in the core. It also provides security of different Shadow IT activities in our environment, especially around application development and website hosting.

They are already working on, but we are looking forward to seeing it. We would like the consolidation of all the different modules. This would help, so then we would be able to see analytics and results on one screen, like a single pane of glass. 

Once your report has been generated, you need to review the report with consultation team, especially if it is too detailed on the development side or regarding the language. Then, you need some professional help from their end to help you understand whatever has been identified. Scheduling consultation takes a longer time. So, if you are running multiple reports at the same time, then you need to schedule a multiple consultation times with one of their developers. There are few developers on their end who work can work with your developers, and their schedules are very tight. Therefore, you have the report ready if you want a consultation, then it sometimes takes more than three to four days to arrange a meeting. I feel to wait four days to get a consultation and understand the report around the whatever has been identified is a bottleneck. 

We have not seen any major downtime.

I would rate their technical support as a nine out of 10.

The tech support has been very much on the forefront of contacting customers. They help us by making sure all the processes have been outlined and are being followed. They regularly look with us at the whole platform process. Therefore, they have been quite helpful.

They have an account manager for personal relations between the customer and their technical people. This person takes care of bringing them the right person to address any issues that we have.

Two years back, Veracode was having issues. It was taking a long time to start the application, and we worked with their technical support. They also have been constantly improving the platform.

We did not previously use another solution.

It was a bit complex initially when we started, because we had not been previously exposed to any such tool.

It is a SaaS tool. So, towards the end, we did not have to install anything. We just needed an account for the platform to upload the build. There was an initial issue, because people were not previously exposed to this type of process, and it was something new that they were being asked to do.

It has helped us reduce our overall time to remedy any validity, which can be found after being rolled out and put into production. Though, I cannot give you the number. It is always better to safeguard the environment rather than being hacked or have production downtime. In three years, we have not had any breaches or we seen any reduction in Shadow IT.

It is pricey. There is a lot of value in the product, but it is a costly tool.

The customer should demand better turnaround times for the money that they are paying, especially around the reporting and standing up processes that we need to go through. It needs much more technical information on the platform with a tool that can help with information or have 24/7 support available, then it will be worth the price that we are paying, because right now, we don't have many options. There are not may companies who are in the market for Veracode, who want this type of in-depth analysis and examination. That is why customers, with the money that they are paying, have room for improvement in the scope of the Veracode product. 

I recommend going for a one-year licensing with CA, because currently they are the leaders in this field with more features and a much better turn around time with a cheaper position, but there are a lot of new companies coming up in the market and they are building up their platforms. I suggest just not to get tied up with a long-term commitment, because I have seen with Black Duck that they are almost one-third of the price of the big platforms. Once there are the same features and functionality (or lot better performance) available in the market, people are going to migrate away from this platform. The market is changing so fast, and with the Black Duck acquisition, it is also expected that we may get a solution with a much faster platform with much better service at a cheaper price.

We did a PoC with Black Duck.

I would rate the product as an eight out of 10 for recommend it to colleagues.

I would rate the overall product as a seven out of 10.

We are Veracode partners/distributors in Quito, Ecuador. 

At this moment, I am reviewing the solution. 

It helps me to detect vulnerabilities.

I use the SAST feature the most.

All areas of the solution could use some improvement.

SAST. We have not yet integrated it into our software development lifecycle as it doesn't have the feature that enables us to integrate it with our repository.

It helps in achieving secure programming. Veracode provides us with industry best practices according to OWASP, CERT, and SANS. Our customers get the security of bug-free code and assurance regarding the application.

Scanning of .war and .jar.

Raw file scans and dynamic scans would be an improvement, instead of dealing with code binaries.

No stability issues yet.

No scalability issues yet.

We used SonarQube but to improve security in SAST we choose this.

Setup is straightforward.

The pricing is good for static code analysis.

Checkmarx, SonarQube.

Implement this solution if you see WAF and SOC in your future.

SAST vulnerability scanning. Veracode is embedded in our release pipeline.

It improved our security posture. In terms of cost savings relating to code fixes since implementing Veracode, I'm not sure there are any. How do you quantify reputational damage from a security breach? However, they have provided AppSec best practices and guidance to our security and development teams through our support agreement, weekly meetings, and annual review.

Because it is a SaaS offering, I do not have to support the infrastructure.

Some important languages are not supported.

No issues with stability.

We have encountered occasional issues with scalability.

Tech support is excellent.

The initial setup was extremely straightforward.

Negotiate for the best deal.

Fortify, App Scanner, Checkmarx.

Make sure the supported  languages align with your developers.

C++ financial application acting as hub for my academic accounting system.

Application, which my institution partially owns, was analyzed after just having compiled the code. This happens seldom in academic software.

It does software composition analysis, discovering open source software weaknesses.

I can have quick results by just uploading compiled components. It gives me an idea about the most important vulnerabilities and fast remediation tips.

• Dynamic analysis of on-premises applications using the Veracode proxy module.
• Static analysis of applications, on which I share property with third-parties.

• Management of false positives
• Agile best practices: Violation detection.
• Support for more programming languages, like SQL.
• Support for more frameworks for Java: .NET, Python, PHP, C, and C++.

It never crashes, as far as I know.

Since it is a SaaS solution, the performance is fine.

CA still has some difficulties integrating the Veracode team in their support services.

I used SonarQube. It lacks of real enterprise-wide security detection. I continue to use Fortify and AppScan, while I am using Veracode.

Setup is really simple, just use Jenkins, JIRA, Visual Studio, and Eclipse connectors for on-premise. The rest is online.

Since we are based in the UK, the original Veracode Team (not CA) was helping us directly during the setup, then trained us.

Given the following:

• Effectiveness of automatic detection of defects, taking into account bad fixes. 
• Effort to find and correct a defect during automatic detection.
• Effort to find and correct a defect during post release. 
• Effectiveness of testing. 
  

ROI expressed as project savings is 2.4% of the project cost.

Costs are reasonable. No special infrastructure is required and the license model is good.

I evaluated Kiuwan, Coverity, and Klocwork

I wish Veracode support had more SDLC integration tools.