Veracode Reviews

We are Veracode partners/distributors in Quito, Ecuador. 

At this moment, I am reviewing the solution. 

It helps me to detect vulnerabilities.

I use the SAST feature the most.

All areas of the solution could use some improvement.

SAST. We have not yet integrated it into our software development lifecycle as it doesn't have the feature that enables us to integrate it with our repository.

It helps in achieving secure programming. Veracode provides us with industry best practices according to OWASP, CERT, and SANS. Our customers get the security of bug-free code and assurance regarding the application.

Scanning of .war and .jar.

Raw file scans and dynamic scans would be an improvement, instead of dealing with code binaries.

No stability issues yet.

No scalability issues yet.

We used SonarQube but to improve security in SAST we choose this.

Setup is straightforward.

The pricing is good for static code analysis.

Checkmarx, SonarQube.

Implement this solution if you see WAF and SOC in your future.

SAST vulnerability scanning. Veracode is embedded in our release pipeline.

It improved our security posture. In terms of cost savings relating to code fixes since implementing Veracode, I'm not sure there are any. How do you quantify reputational damage from a security breach? However, they have provided AppSec best practices and guidance to our security and development teams through our support agreement, weekly meetings, and annual review.

Because it is a SaaS offering, I do not have to support the infrastructure.

Some important languages are not supported.

No issues with stability.

We have encountered occasional issues with scalability.

Tech support is excellent.

The initial setup was extremely straightforward.

Negotiate for the best deal.

Fortify, App Scanner, Checkmarx.

Make sure the supported  languages align with your developers.

C++ financial application acting as hub for my academic accounting system.

Application, which my institution partially owns, was analyzed after just having compiled the code. This happens seldom in academic software.

It does software composition analysis, discovering open source software weaknesses.

I can have quick results by just uploading compiled components. It gives me an idea about the most important vulnerabilities and fast remediation tips.

• Dynamic analysis of on-premises applications using the Veracode proxy module.
• Static analysis of applications, on which I share property with third-parties.

• Management of false positives
• Agile best practices: Violation detection.
• Support for more programming languages, like SQL.
• Support for more frameworks for Java: .NET, Python, PHP, C, and C++.

It never crashes, as far as I know.

Since it is a SaaS solution, the performance is fine.

CA still has some difficulties integrating the Veracode team in their support services.

I used SonarQube. It lacks of real enterprise-wide security detection. I continue to use Fortify and AppScan, while I am using Veracode.

Setup is really simple, just use Jenkins, JIRA, Visual Studio, and Eclipse connectors for on-premise. The rest is online.

Since we are based in the UK, the original Veracode Team (not CA) was helping us directly during the setup, then trained us.

Given the following:

• Effectiveness of automatic detection of defects, taking into account bad fixes. 
• Effort to find and correct a defect during automatic detection.
• Effort to find and correct a defect during post release. 
• Effectiveness of testing. 
  

ROI expressed as project savings is 2.4% of the project cost.

Costs are reasonable. No special infrastructure is required and the license model is good.

I evaluated Kiuwan, Coverity, and Klocwork

I wish Veracode support had more SDLC integration tools.

Interestingly enough, Veracode has evolved over time. Their chief designer has been a leader in security for many years and his insights into applications, and what we now consider DevOps, has been very helpful for the industry. The insights into how we now have a mobile workforce, and that the end-point is what you carry in your hand - and the protection of those apps and web pages - are imperative because the coding in our information has moved out. Quite honestly, the people have become the firewall. 

The products that Veracode has developed help me to manage that, scan that, know when something is going wrong, and I don't have to have a team of developers behind me that keep up with all the latest threats because the subscription service they provide for me does that.

Veracode helps me in several implementations over a couple of industry sectors in a number of ways.

My coding, especially the code we develop, has a number of faults per line and that costs me money and time to fix those, into the lifecycle. Veracode enables me to provide better code, faster, so my time to market is less.

The security means my total cost of ownership goes down significantly over a period of time. The more code I write, the better I organize that, the less my expense is in maintaining that code.

As we move to more of a mobile space, much of the code was developed on desktops, mobile laptops, and things. Mobile apps run differently and they have a different runtime. Chris Wysopal and I have talked several times over the past few years about how to address that. I'm not sure that there is a good answer yet, because it is so complex. But I'm pretty sure with Chris' track record that they are going to come up with a very good way to do that in the near future.

There are always a few bumps going into any new implementation because nobody has the same environment. We are in heterogeneous environments.

But I couldn't point out any one significant problem that comes to mind, because the bumps that we have found have been addressed and corrected pretty quickly.

Scalability is almost infinite in this because the cloud-based solution allows me to expand. The companies I work for are generally in the 10 billion-plus range, but with thousands of developers we have never really had anything on the capacity planning or the performance of the products.

Their technical support is the best in the business. These folks have been around, like I have, for many, many years so they have grown up with the industry. Not only are they developers, they have been practitioners before. Their chief designers, their coders - although many of them change - the key people who started this are still there, and you'll know them by first name; pick up the phone and they can help you with what you need.

Any previous solutions would have been more than 10 years ago, and I don't remember why we switched. It's like the car you drive or the shoes you like to wear: Once they work - and it has worked in multiple sectors - there is no reason to change.

When selecting a vendor, the important criteria are relationships and support. When I pick up the phone and I get a Sam King or a Bob Brennan on the line, things happen.

It is a pretty easy implementation. As you know, with anything like this, which is very human-oriented, change is people, not necessarily the products themselves. The services they provide and the training and some of the "hand-holding", if you will, have always helped make this the bright, shiny object for the coders, so its implementation has always been pretty smooth for me.

On the rating scale is there anything above 10? If there are no ones and tens, it would be the closest to 10. They have always been supportive. We have had to change, do course corrections during implementations, or particular types of coding. I have just never had a problem. My loyalty to the product has been primarily due to the service and the expedience in which they solve any problems we have.

It has helped us be more secure, and it has helped us put a package together for our customers that will take into consideration training, all the way down to the coding level.

For us, it's the partnership. We have always been very strong partners with Veracode. They provide excellent training to our sales team, so we are able to work with our customers to show them the value of secure code training.

More integration into the specific application; an open API would be good. Aside from that, I think they do a really good job in terms of the features they have. 

Veracode has always been a very stable product for us, a very stable product for our customers, and it has been a very stable relationship as well.

We have customers of every size from several hundred to several hundred thousand. The product works well, regardless of the size of the company we are working with.

We have had customers - and it has been our own experience as well - tell us that the support is second to none. They are very quick to respond, very quick to answer questions in a really knowledgeable way.

We've had no comments from our customers other than that it is an easy setup.

When it comes to secure coding, Veracode is the only one we really considered.

For us, whenever we are selecting a partner, vendors to work with who are going to be working with our customers, we have to make sure that they align regarding customer support philosophy, and that is the reason we selected to work with Veracode.

I would definitely rate Veracode a 10 out of 10, based on our customer feedback. Whenever we know the relationship is going well between Veracode and our customers, it reflects very well on us.

It has given us visibility into the applications we have that are participating in the application security program.

For me, at the program manager level, I'm not a developer. What I do is run applications through a security program. What's important for me, from Veracode, is the all-in-one metrics location. I can see where everything is across the entire portfolio of applications I have in this program, and I can report out on it. That is one of the more important pieces for me, at the compliance level.

Speed. When we scan binary, when we perform binary analysis, it could go faster. That has a lot to do with the essence of scanning binary code, it takes a little bit longer. Certain aspects, depending on what type of code it is, take a little long, especially legacy code. In our case, we have quite a bit of older code. It takes some time to get through.

As a SaaS product, you have certain expectations for it to be stable. It is a very mature platform so we haven't had any issues with its performance.

It absolutely scales out. Our program is pretty small, but the eventual goal is complete application portfolio coverage. I have no expectation that we are going to have any issues with scaling.

Technical support is great. The folks that I have interacted with, from services all the way through to the pen-testers have been great. They are on par with anybody else out there. In some cases, specifically for applications, they are probably a lot better than most.

I have done a lot of product comparisons in my time, in information security. A lot of them are modules of a product, there is no single pane of glass. When I talk about metrics, I want to see everything in a single pane of glass, I want to see all of my results in one location. A lot of the other application security products out there can't do that yet. They are getting there but Veracode has already been able to do that for years. Veracode can run multiple types of tests and you can see all the results in one area.

When selecting a vendor the most important criteria are 

• scalability
• reliability of results - we want to see results-oriented success.

Setup is very straightforward. Since everything is SaaS, everything is uploaded to the cloud. It's very simple to do. There is no setup on the back-end, initially. Once we start getting a little more sophisticated with integrations we are going to be just fine. Currently, we are early in the program so everything is done manually. So there is no setup. Everything is just done in the cloud.

I give Veracode a solid nine out of 10 because it is a full-featured product. It is not just something that they are selling to you and then leaving you to figure out how to use it. They actually help you every single step of the way and they want to show you how to do it. 

Their testers, their application security consultants, really help you and help educate the developers. They walk you through every step of the way.

It has allowed us to scale and find vulnerabilities much faster than previous manual tools. It has allowed us to educate developers on it to use the consultation calls.

The most valuable feature is the remediation consulting that they give. I feel like any vendor can identify the flaws but fixing the flaws is what is most important. Being able to have those consultation calls, schedule them in the platform, and have that discussion with an applications expert, that process scales well and that is what has allowed a lot more reduction of risk to happen.

I would like to see more technical support for some of the connectors, some more detailed diagrams or run-books on how to install some of the stuff; more hand-holding in the sense of understanding our environment.

They cover a lot of languages already and it doesn't make sense for them to cover legacy languages but I know there is a need for covering legacy languages.

My biggest need, the kind of feature I would want, is more on the technical support side.

In the early years, it was a little less stable but I know they have switched to more of an Agile CI/CD methodology and I have seen a lot more stability since they moved to that methodology.

One of the best things they offer is the scalability. The fact that you can work with it through the cloud means that if you have unintegrated business units, you don't have to worry about having a solution on-prem and having the network connection; you don't have to worry about giving up source code, you are just sending your binary files for most of the applications. So it scales much faster.

The technical support is good. I like the fact that you can email Veracode support. You get a very fast response, usually within the same day. 

If you don't have an SPM, Solution Program Manager, to escalate issues after that - you don't have to escalate a lot of issues, but if you do and you don't have feature - that is where they seem to fall down a little bit. So they need help with their level-2 and level-3 support. They do very well at level-1 and then you need to escalate, sometimes. That is where they need to improve a little bit.

At a previous company, we were using HPE Fortify. We couldn't scale because it was an on-prem solution. Therefore, after five years, we decided to break out of the mold and use a SaaS solution. We were comfortable at the time doing so because we weren't sending source code, for the most part. As soon as we went to a cloud solution we scaled dramatically.

What I look for in a vendor is 70 percent a technical match with the features and benefits we need and for the remaining 30 percent, I look at the culture of the company because, for me, it is a relationship. I want to have a partnership and I want it to feel like a win-win. If they feel like it is a short-term decision, get in get out, I want to know that. I want to be able to talk to them at any time and add service enhancements, feature enhancements, those kinds of things. It's a 70-30 split for me.

The implementation is straightforward in the sense that there are a lot of APIs to integrate, and they have a lot of connectors that do that for you.

HPE Fortify, Checkmarx, IBM AppScan. It really was between HPE Fortify, most of the time, and Veracode. I typically like Veracode because it is a SaaS solution. You have other providers now that do the same SaaS but then it goes back to the relationship and the partnership. I feel that I have that with Veracode.

I would give Veracode a nine out of 10 because it scales incredibly well, they have very qualified people working there who are able to clearly articulate what the problems are when they are talking in a remediation or consultation call. They are very knowledgeable, they are not condescending when they talk to a developer. The tool is very easy to consume. It's not like looking at a menu with 20 pages at a restaurant, it's very simple to digest. They have a lot of API connectors, they cover a lot of languages and it just scales. You can't beat that. Finally, the relationship is great with them.