Veracode Reviews

Static application security testing, which is the primary use case. 

There were different web applications which were scanned using this tool.

Veracode scans provide a higher number of false positives. Also, the overall reporting structure is complicated, and it's difficult to understand the report.

Veracode provides faster scans compared to other static analysis security testing tools.

Veracode should provide support to more software languages, like ABAP.

Certifying the application security of my SAS-based application code base.

It allows us to prove our security levels to vendors, and additionally helps us with our HIPAA security policies. Also, CA Veracode has provided AppSec best practices and guidance to our teams. Finally, it makes the IT Governance process of the sales cycle easier.

Static and dynamic scans of the code. It is part of our release cycle.

Mitigation review isn't always super easy.

No issues with stability.

No issues with scalability.

It is excellent.

Straightforward to set up, but the configuration of the rules engine is difficult and complicated.

It helps us get over the line for security when contracting with customers, and any help reducing security vulnerabilities is a big help to us.

Pricing/licensing is complicated.

Do your research, make sure you implement the tools you need.

I am very likely to recommend Veracode to a colleague.

To certify that we have valid code, and that the developers are working with valid structures and writing good code.

The coding standards in our development group have improved. When we scan our code - at the end of a build cycle we'll go through and scan our code - from those scans we've learned the patterns and techniques to make our code more secure. An example would be SQL injection. We have mitigated all the SQL injection in our applications.

That is now part of our software development life cycle, to do a static scan before we release to our client base. We mitigate what we have to.

I'm not aware of any cost savings relating to code fixes since implementing Veracode in our development process.

In terms of Veracode providing application security best practices and guidance to our development teams, once we scan the software and we have to go through a mitigation process, we make sure we implement that in the base standards. Once we mitigate a problem, we implement it back into the base to make sure the developers who are still developing code are not going to have the same issues that we just mitigated.

For our customers, they know that we go through another level of application security with our application, one our competitors don't use. They know our code meets a standard and that we implement the standard and the structures. That we have mitigated gives them a little bit of peace of mind that our code is valid, and that it's not going to hurt their infrastructure. 

We just use the static scan, it's all we got into as of now. We're happy with that, it seems to work very well for us.

Going through the mitigation is probably the hardest thing to do and that's still an ongoing process. If there is a code issue to mitigate, it sometimes takes a little bit longer than what you would think. It might not be anything that they're doing. It's just their engine is changing and our code is changing so we have two things moving. We get a good score one time, scan it again on a new release and the score drops because the engine is picking up more things. I don't know if they could do anything about that. It's just one of those things you might just have to live with.

No issues with stability.

No issues with scalability, we're good there.

They're very good. Anything that we've brought up to them, they've responded to us very quickly.

We used the built-in solution inside of Microsoft Visual Studio, and we switched because Veracode had more cohesive scanning abilities and found a lot more issues with our code, when we first scanned it.

It was pretty straightforward.

We get good value out of what we have right now.

We had a couple of products that we looked at, but went with Veracode.

I am highly likely to recommend Veracode to colleagues.

Make sure, once you scan and find issues with your code, that the developers know how to remediate those issues so they don't go through them again.

It's going to take some time to get through your first set of scans and mitigations. To fix your code is not straightforward. But once you do that and implement it back through your whole development cycle, they identify the issues and it's very easy to fix them, once you know and have gone through it once.

We use it for a lot of things and they're all primary: SAST, DAST, and Greenlight.

By using this product, we can point out not only any potentially insecure coding, but how to fix it. It's a requirement, a legal requirement. So we benefit by not breaking regulatory law.

SAST, DAST, and Greenlight are the most important features because today it's important for our regulatory compliance law to keep our product coding relatively secure.

For our rapid, secure DevOps cycle, we have integration of the Vericode API into our build tool, and Greenlight into our IDE.

I think they are doing pretty well. It would help if there were a training module that would explain how to more effectively integrate the SAST product into the build tool, Jenkins or Bamboo. I think that's a real good idea.

No issues with stability.

No issues with scalability, other than making sure that our people know how to use it.

Excellent.

Never. I've been using it for 20 years. I tried others, like HPE's and IBM's, when I was with Visa, but this is the best.

I think it's simple, but sometimes it would help to have more training for developers to help them set it up.

I can't give you exact numbers, but it's a lot cheaper to do it sooner rather than later.

Pricing is worth the value. 

They didn't have products before this one. This one pre-dated them.

I recommend CA Veracode all the time. I am a public speaker, frequently on the speaker circuit, and I recommend it all the time. There are really three solutions at the top of the industry ratings, and Veracode is the best, in my opinion.

We are a good customer and we had been for a long time. I actually am a bit of an evangelist for them when I'm doing public speaking.

There needs to be better API integration to the development team's pipeline, which is something that is missing and needs to be improved.

We have been using the solution for approximately three months.

The installation was straightforward.

I rate Veracode Manual Penetration Testing a nine out of ten.

Security scanning.

It has caught lots of flaws that could have been exploited, like SQL injection flaws. It has also improved developer engagement with information security.

In terms of application security best practices and guidance to our teams, their engineering staff is really excellent. They provide our developers with suggestions and they take those to heart. They've learned from the recommended remediation strategies provided by the Veracode security engineers. That makes all of their future code better.

As for our customers, it lowers the risk for people visiting our site.

Catching coding flaws before they go live.

Regarding integrating Veracode into our software development lifecycle, we started out with it being used only as a web interface, and now developers are starting to use it right in their IDE on the desktop.

It's a pretty dynamic product. It's changing all the time and improving.

The scanning is a little slow, but other than that it's fine. It's usually when the binaries get up into the multi-hundred-megabyte size.

We haven't encountered any scalability issues with Veracode so far.

They're awesome. Their timeliness is acceptable, but their expertise is phenomenal.

Veracode is the first professional solution I've used. It was in place when I got to the company.

We just use it as a cloud service for third-party developers.

In terms of cost savings relating to code fixes since implementing Veracode in our development process, I can't really give hard numbers.

I'm not the pricing guy.

Licensing is pretty flexible. It's a little bit weird, it's by the size of the binary, which is a strange way to license a product. So far they've been pretty flexible about it.

I recommend it all the time.

It's an important aspect of a complete security program. Not necessarily this product, but source code, fraud detection.

I'd give it an eight out of 10 because it's pretty straightforward, but you still have to mostly wrap it with organizational policies that encourages its use. It's not a product - and I don't think it's really a product category - that sells itself to the end-user. They see benefits, but they do have to be convinced to use it.

Static code scan.

We have used the results of scans to train our people and make them more sensitive to security issues during development, although we haven't done any specific integration of Veracode into our software development cycle. Engineers are better trained, so we hope to see increased compliance with our security guidelines.

We do incorporate the suggested course of action from the Veracode report (AppSec best practices and guidance) in our best practices.

Also, our customers benefit from the fact that the application is more secure.

We use the results of the scan to identify vulnerabilities in the product.

Calypso (our application) is large and the results take up to two months. Further, we also have to package Calypso in a special manner to meet size guidelines.

No issues with stability.

Because our application is large, it takes a long time to upload and scan.

Based on limited usage, we are satisfied.

We did not have a previous solution. We picked this product because our partner (SAP) uses it.

Straightforward.

There are no directly measurable cost savings. We see security improvement as a key part of our product development.

When asked, we let our customers and partners know that we use Veracode and that we are happy with it.

Allows developers to run their own scans.

Reduced dependency on the security team to run scans. It helped the organizations to scan a large number of applications on a regular basis.

I would like to see the following:

• Correction of the regularly received false positives
• Options to manage comments and mitigations
• Better UI functionality

We have used this solution for a year.

A few months ago, there were issues with the scanners and tickets were opened. However, they were resolved. This is a stable product.

There have not been any scalability issues yet.

I would give technical support a rating of 8/10. At times, we have not seen the best support in terms of issues faced during a scan.