Veracode Reviews

Software security, static code scanning.

It has performed very well.

The benefits are quick discovery and understanding of software vulnerabilities that we are putting in our own code. By discovering them quickly enough, we can triage them and determine the best ways to remediate them and prevent them from happening in the future.

It helps us gain confidence that the applications we're putting out in the hands of millions and millions of people have that industrial-strength quality to them; that we don't need to worry about as much as we used to. 

• Completeness, comprehensiveness
• speed
• ease of use

We have such a wide variety of users for Veracode, including security champions, development leads, developers themselves, that the ease of use is really quite important, because we don't assume anything about what those people might already know, or need to know. It just makes it very useful for anyone who has to engage with it.

I'd like to see an improved component of it work in a DevOps world, where the scanning speed does not impede progress along the AppSec pipeline.

Three to five years.

Stability has been great. I've never seen any downtime, in four years.

We went from 50 applications in 2015, we're now up to over 400. There seems to be no limit on how quickly it can scale and operate.

They're outstanding. Best in class. Absolutely. They bend over backwards to help us. We'll come up with questions and within minutes, we'll get answers. It's amazing. It's truly amazing.

It was very straightforward. Veracode was very helpful, hand-holding - anything that we needed - they were right there and made it very simple.

We had been evaluating various different types of source-code scanners. It was a fundamental element of the program and we knew we had to have the best one that would meet a wide variety of applications: development, apps, as well as a wide variety of geographic dispersion of the people writing these apps. 

We had IBM, we had Fortify, we had PMD, and there was one other scanner at the time that we were evaluating. Veracode came out on top, in almost every category.

By using a cloud-based scanner, we really had no issues with where the developers are geographically located. So we didn't really have setup problems at all. It just kind of happened, and scales fairly naturally, organically.

The most important criteria when selecting a vendor are

• reliability
• customer service.

Take advantage of all of the help that Veracode provides, for implementation, operations, and maintenance, because they absolutely know what they're doing.

The primary use case is application security and application security testing, specifically static and dynamic analysis, and software composition analysis. It has performed excellently.

The benefits are the fact that it identifies our vulnerabilities, and it has improved us by allowing us to pull everything to the left in agreement with our SDLC and with our developers, and have them not only get buy-in because they can run sandbox scans that allow them not to generate metrics, but also run policy scans where we identify what the policy is and what is acceptable. So, it has helped us secure our company and our applications.

1. The ability on static scans to be able to do sandbox scans which do not generate metrics.
2. Gives us every vulnerability that has been identified, so there is no human intervention. Therefore, we can actually look and prioritize our own vulnerabilities as opposed to having someone else try to get in between.

I would love to be able to do a dynamic sandbox scan. I think that that would allow us to really get a lot more buy-in from the software development teams. We would be able to scan our applications, identify the vulnerabilities, not generate metrics, which would allow the teams to address the vulnerabilities earlier in the cycle, and then have cleaner scans later on.

Also, I would maybe like to see a better report engine.

It is extremely stable.

So far, extremely scalable.

We do have ongoing technical support. We use them more as a backstop. My team handles most of the calls and issues that any of the developers might have. 

CA support has excellent time frames. They are knowledgeable and get back to you with an actual solution, which is always a plus.

The initial setup was very straightforward.

1. It is SaaS, so we did not have to install anything locally.
2. We were able to give our privileged users better roles because it is role-based, and to do multi-factor authentication. All we have to do, once we set up our trust relationship, we have single sign-on and we white-listed everything. So, it is everything that we wanted from a security point of view, and it is easy to roll out.

PoC is in progress.

• Application testing
• False positives challenges
• Wide range of platforms and technology assessments

It needs to reach the level of Checkmarx's and Fortify Software's capabilities and service levels, or may further loosen the market share.

No.

No.

Customer Service:

A three out of 10.

Technical Support:

A two out of 10.

Quality levels, service offerings, pricing, and mainly the features and abundance of technologies provided by others made us switch to a different solution.

In-house.

The pricing is pretty high.

Yes. Checkmarx, SonarQube and Fortify Software.

We used the application for the web. Static, dynamic, and manual scan features were all very useful for us. All of them helped us fix many security flaws.

It made us change our approach to coding. We tried to make sure our application stayed secure and safe.

The current features were enough for us. Although reports are well documented, it was difficult for us to understand them at first.

We have been using the solution for about a year.

We did not encounter any issues with stability.

We did not encounter any issues with scalability.

We didn't use the technical support, so I can't comment on this question.

We did not use a previous solution. This was the first security application we used.

It was very easy to setup. Everything on the website was clearly explained.

I don't know about the prices.

We did not evaluate any alternative solutions.

If it's the first time you are using a security application, be ready for some new tools which you will require you to revitalize the flaws reported.

Reports are very well documented. Once you understand what it means and you get used to it, you will see that it is detailed and clearly explained.

Allows developers to run their own scans.

Reduced dependency on the security team to run scans. It helped the organizations to scan a large number of applications on a regular basis.

I would like to see the following:

• Correction of the regularly received false positives
• Options to manage comments and mitigations
• Better UI functionality

We have used this solution for a year.

A few months ago, there were issues with the scanners and tickets were opened. However, they were resolved. This is a stable product.

There have not been any scalability issues yet.

I would give technical support a rating of 8/10. At times, we have not seen the best support in terms of issues faced during a scan.

We decided to begin a partnership with Veracode, so we can improve our services and provide the customers that trust us with a platform capable to report vulnerabilities and also delegate and keep tracking of the remediation until the applications score 100% on stability before they go to production.

• Customer and professional support
• Live sessions and training
• The coverage of the last vulnerabilities reported
• The coverage of the programming languages

• To be able to upload source codes without being compiled. That’s one feature that drives us to see other sources.

Compiled code means that the code written is stored in binaries for machine reading only. Veracode reads only those binaries (compiled code). The other way to have the code is “Source Code written only”, a process where you don’t compile and anyone is able to read line by line the code.

This example might seem weird, but maybe will clear things out:

Binary Code (Supported by Veracode):

11110001011000 0111 0001 01 110 00010 010 11110001011000 0111 0001 01 110 00010 010 11110001011000 0111 0001 01 110 00010 010

11110001011000 0111 0001 01 110 00010 010 11110001011000 0111 0001 01 110 00010 010 11110001011000 0111 0001 01 110 11110 010

1111000101000 0111 0001 01 110 00010 010 11110001011000 0111 0001 01 110 00010 010 11110001011000 0111 0001 01 110 00010 0101

Source Code:

public class HelloWorld {

public static void main(String[] args) {

// Prints "Hello, World" to the terminal window.

System.out.println("Hello, World");

}

}

When tracking source code vulnerabilities, sometimes it’s possible that the tool loses the path of the issues when the source code has been modified significantly.

Customer Service:

Customer and platform support is one of the best in the field. The experts are skilled and can have as many meetings and researches as needed.

Technical Support:

The Veracode support team excels with help of their experts capable to solve most of the situations, and taking advantage of the variety of their members to delegate issues and problems to solve.

I use a portfolio of tools for security consulting, but Veracode is the main app I rely on because customers are happy to be able to track the status of each individual issue or vulnerability.

Initial setup is very complex, requiring security knowledge, but it’s easy when experts guide you through all the process. Even after months of use, the Veracode experts are always there to help you on both the workflow and the dashboard tool.

Veracode is a very complete tool; that drives you to invite customers, the apps team, developers and even the product and marketing team to navigate through the whole application. Its complexity makes it quite expensive, but it’s all worth it, with all the engineering in the background.

Before choosing this product, many tools were tested, such as HPE WebInspect, AppScan, Checkmarx, etc. Those tools are good, and do their jobs really well. Veracode has many pros that involve a human touch, which is something a consulting firm, customers and big companies want from the information technology field.

I recommend exhausting all resources and gaining knowledge from different security tools, before making a decision. Veracode is not cheap, but it is a tool capable of giving dynamic, static and even manual scan results in one platform. Veracode is one of very few options out there, and the very best.

Static code analysis is a valuable feature.

We were able to easily integrate static code testing into the SDLC process. We moved from the waterfall to the agile methodology, and were still able to integrate Veracode testing within both methodologies.

It's been over a year since I used the product. But when I did, I found there were too many false positives.

I used it for one year.

No issues encountered.

No issues encountered.

No issues encountered.

8/10

8/10

We used Barracuda for scanning containers. And in all in DevOps workflow.

The coverage of backdoors attacks on security that's the most valuable for my clients.

There is room for improvement in documentation. Maybe the documentation about how to configure something. It is difficult to get the expected result. 

I have been using this solution for two years. 

It's stable. It works very well in the parameter like an enterprise solution. We don't have any problems with that.

We are very pleased with the support.

Positive

I would rate my experience with the initial setup a six out of ten, where one is difficult and ten is easy to set up. 

We work on the deployment process. The solution is deployed both on-prem and in the cloud environment.

The solution doesn't require any maintenance. 

It took two years to see ROI for our clients.

Veracode is expensive. But the solution is worth it. 

Overall, I would rate the solution a nine out of ten. It is a good solution for security. In my personal opinion, there are not many products like Veracode in the market.