Veracode Reviews

Our primary use case for this solution is application security.

The most valuable feature comes from the fact that it is cloud-based, and I can scale up without having to worry about any other infrastructure needs.

This solution does a good job, but it is limited to only a few technologies. I would like to see expanded coverage for supporting more platforms, frameworks, and languages.

Specifically, I would like to see support for mobile frameworks like Xaramin and React JS, as well as extended support for iOS applications.

This solution is quite scalable.

We have approximately fifty users, but we definitely have plans to add more.

I have used their technical support and they are quite good.

We did not use another solution prior to this one.

The initial setup of this solution is straightforward.

This solution is on the pricey side. They have just streamlined the licensing and they have a number of flexible options available, so overall it is quite good, albeit pricey.

We evaluated other options, but we chose Veracode.

My advice for anybody who is interested in implementing this solution is to ensure that your technology is actually supported because the coverage is quite patchy. It is possible that if you use a framework or a language that Veracode does not support then it will give quite poor results.

I would rate this solution a six out of ten.

Dynamic and static scanning.

We're being much more security conscious whenever we're writing code, and we're trying to make sure it's giving us a benchmark, and to make sure we meet that, on a release cycle.

In terms of AppSec best practices, it has made everybody more conscious about what they're trying to accomplish, because they know at the end of the release cycle we're going to be running scans. They basically need to make sure they adhere to all the rules.

Our customers have benefited from the added application security we offer because they're more confident that our software isn't going to expose their organizations to any risk.

The ability to run scans. It's a critical piece of why we use the platform. We use it to get our scan results and see where our software is vulnerable or not vulnerable.

It's part of our SDLC now.

The user interface can sometimes be a little challenging to work with, and they seem to be changing their algorithm on what is an issue. I understand why they do it, but sometimes it causes more work on our end.

No issues with stability.

Not that I know of.

I have not contacted tech support.

It seemed straightforward. I didn't actually do the work, but from what I was told, it seemed like it was fairly easy to get going.

I cannot give numbers on any cost savings related to code fixes since implementing CA Veracode in our development process.

It's worth the value.

We did evaluate other options, but I can't remember who we looked at.

I would be highly likely to recommend working with CA Veracode to colleagues. 

I rate it an eight out of 10. It's a good product - I can't say that it's lighting my world on fire - but it does what it needs to do.

Just be prepared that it's going to take effort from all aspects of the business to be able to utilize and achieve the goal that you're looking to achieve with the product.

Our primary use cases are for comprehensive security assessment using static analysis, dynamic analysis, source code composition, and manual penetration tests. We also use it for security training for developers.                         

Veracode is a valuable tool in our secure SDLC process.                                                        

Source code composition analysis for vulnerabilities and license compliance is the most valuable feature.                                                                                                 

It needs better controls to include/exclude specific sections when creating a report that can be shared externally with customers and prospects.  

I have been using Veracode for one year.

We also evaluated Synopsys.

I use Veracode to run scans on .NET applications, web applications and Windows/fat form applications. I also use it to make deployments in three-tier environments: the application server tier, web server tier and the database tier.

• Veracode has improved our penetration testing process. 

• We use Veracode static analysis during development to eliminate vulnerability issues.

• I have found the user interface extremely helpful in prioritizing issues.

• It allows me to prioritize the work to help resolve an issue.

They should improve on the static scanning time.

Scanning for code security vulnerabilities within our company's products.

Made our company aware of any potential code security vulnerabilities. Also, customers can use our products knowing they are verified by top organizations as safe.

Informing me of application security vulnerabilities. Bamboo build-automation with Veracode API calls are used.

• The user interface could be more sleek.
• Some scanning requirements aren't flexible.
• Some features take some time for new users to understand (like what exactly "modules" are).

No issues with stability.

No issues with scalability.

Great.

Somewhat straightforward. There was a little confusion about "missing modules" that are third-party files that we couldn't upload because we don't actually have them. That really confused us, but the technical support resolved the confusion.

I can't report on any cost savings relating to code fixes since implementing Veracode in our development process, but it makes us feel more confident about our code, which is awesome.

We are satisfied.

None. We might look into Checkmarx.

I am very likely to recommend Veracode to colleagues. Veracode is great.

We are Veracode partners/distributors in Quito, Ecuador. 

At this moment, I am reviewing the solution. 

It helps me to detect vulnerabilities.

I use the SAST feature the most.

All areas of the solution could use some improvement.

PoC is in progress.

• Application testing
• False positives challenges
• Wide range of platforms and technology assessments

It needs to reach the level of Checkmarx's and Fortify Software's capabilities and service levels, or may further loosen the market share.

No.

No.

Customer Service:

A three out of 10.

Technical Support:

A two out of 10.

Quality levels, service offerings, pricing, and mainly the features and abundance of technologies provided by others made us switch to a different solution.

In-house.

The pricing is pretty high.

Yes. Checkmarx, SonarQube and Fortify Software.