Veracode Reviews

Allows developers to run their own scans.

Reduced dependency on the security team to run scans. It helped the organizations to scan a large number of applications on a regular basis.

I would like to see the following:

• Correction of the regularly received false positives
• Options to manage comments and mitigations
• Better UI functionality

We have used this solution for a year.

A few months ago, there were issues with the scanners and tickets were opened. However, they were resolved. This is a stable product.

There have not been any scalability issues yet.

I would give technical support a rating of 8/10. At times, we have not seen the best support in terms of issues faced during a scan.

We decided to begin a partnership with Veracode, so we can improve our services and provide the customers that trust us with a platform capable to report vulnerabilities and also delegate and keep tracking of the remediation until the applications score 100% on stability before they go to production.

• Customer and professional support
• Live sessions and training
• The coverage of the last vulnerabilities reported
• The coverage of the programming languages

• To be able to upload source codes without being compiled. That’s one feature that drives us to see other sources.

Compiled code means that the code written is stored in binaries for machine reading only. Veracode reads only those binaries (compiled code). The other way to have the code is “Source Code written only”, a process where you don’t compile and anyone is able to read line by line the code.

This example might seem weird, but maybe will clear things out:

Binary Code (Supported by Veracode):

11110001011000 0111 0001 01 110 00010 010 11110001011000 0111 0001 01 110 00010 010 11110001011000 0111 0001 01 110 00010 010

11110001011000 0111 0001 01 110 00010 010 11110001011000 0111 0001 01 110 00010 010 11110001011000 0111 0001 01 110 11110 010

1111000101000 0111 0001 01 110 00010 010 11110001011000 0111 0001 01 110 00010 010 11110001011000 0111 0001 01 110 00010 0101

Source Code:

public class HelloWorld {

public static void main(String[] args) {

// Prints "Hello, World" to the terminal window.

System.out.println("Hello, World");

}

}

When tracking source code vulnerabilities, sometimes it’s possible that the tool loses the path of the issues when the source code has been modified significantly.

Customer Service:

Customer and platform support is one of the best in the field. The experts are skilled and can have as many meetings and researches as needed.

Technical Support:

The Veracode support team excels with help of their experts capable to solve most of the situations, and taking advantage of the variety of their members to delegate issues and problems to solve.

I use a portfolio of tools for security consulting, but Veracode is the main app I rely on because customers are happy to be able to track the status of each individual issue or vulnerability.

Initial setup is very complex, requiring security knowledge, but it’s easy when experts guide you through all the process. Even after months of use, the Veracode experts are always there to help you on both the workflow and the dashboard tool.

Veracode is a very complete tool; that drives you to invite customers, the apps team, developers and even the product and marketing team to navigate through the whole application. Its complexity makes it quite expensive, but it’s all worth it, with all the engineering in the background.

Before choosing this product, many tools were tested, such as HPE WebInspect, AppScan, Checkmarx, etc. Those tools are good, and do their jobs really well. Veracode has many pros that involve a human touch, which is something a consulting firm, customers and big companies want from the information technology field.

I recommend exhausting all resources and gaining knowledge from different security tools, before making a decision. Veracode is not cheap, but it is a tool capable of giving dynamic, static and even manual scan results in one platform. Veracode is one of very few options out there, and the very best.

Static code analysis is a valuable feature.

We were able to easily integrate static code testing into the SDLC process. We moved from the waterfall to the agile methodology, and were still able to integrate Veracode testing within both methodologies.

It's been over a year since I used the product. But when I did, I found there were too many false positives.

I used it for one year.

No issues encountered.

No issues encountered.

No issues encountered.

8/10

8/10

We used Barracuda for scanning containers. And in all in DevOps workflow.

The coverage of backdoors attacks on security that's the most valuable for my clients.

There is room for improvement in documentation. Maybe the documentation about how to configure something. It is difficult to get the expected result. 

I have been using this solution for two years. 

It's stable. It works very well in the parameter like an enterprise solution. We don't have any problems with that.

We are very pleased with the support.

Positive

I would rate my experience with the initial setup a six out of ten, where one is difficult and ten is easy to set up. 

We work on the deployment process. The solution is deployed both on-prem and in the cloud environment.

The solution doesn't require any maintenance. 

It took two years to see ROI for our clients.

Veracode is expensive. But the solution is worth it. 

Overall, I would rate the solution a nine out of ten. It is a good solution for security. In my personal opinion, there are not many products like Veracode in the market.