Veracode Reviews

Static scanning is one component of Veracode. That feature we use heavily to scan all the custom code we write weekly. We use another component called software composition analysis to scan all of our open-source packages. These are the two primary use cases that we have for Veracode.

It flags any security flaws or bad practices. Veracode has its own database for many vulnerabilities identified on the SCA side. They use a tool called SourceClear, which validates vulnerabilities in any of these packages. The scanner itself is pretty good at identifying some of the flaws in either the code or the open-source packages.

Our organization is more secure than without Veracode. It has improved our security posture because we're running it. It's hard to gauge what that would be without it because we haven't had any security issues since I joined the company. 

Veracode is very good at ensuring compliance with industry standards. It has helped us fix flaws. We know what's there, and there's generally a decent explanation for fixing each flaw. It's a quicker time to market. It's easy to figure out the problem and solve it so that we don't have exposed vulnerabilities in the market. 

It has helped developers save time. We generally resolve all our flaws within seven to 20 business days after they are identified. Veracode is crucial to our shift-left strategy. We have automated scans, so we scan all our code every weekend. Today is one of those days, so it's usually the time when we come in, see there's a new problem, and immediately start working on it.

Static scanning and software composition analysis are very helpful. My colleagues and I don't need to be experts on all of those ancillary things, so we can focus more on the business deliverables.

They have a pretty good tool that allows me to run scans of my local integrated development environment. I can find a lot of those flaws a lot sooner than I would if I had to wait for these cloud-based scans. They've come out with some sort of automated fix feature. I haven't used it, but they gave us a demo of it, and that one looks promising. I don't know if it's ready for prime time yet. 

The usability isn't good in Veracode. Sometimes, it will show a problem, but it's difficult to go into their tool and figure out where it is. You primarily use a web browser to access their system. It requires a lot of clicks. The static analysis is a separate part of their system from the SCA, so that's a bit difficult. They haven't fully integrated that. It's difficult for the consumer.

We have used Veracode for about five years. 

Veracode's stability is 50-50. They deploy new versions of their engine. Recently, the new version identified flaws in the code that were six months to a year old.  

Veracode seems to scale pretty well. We scan 60 to 70 applications every weekend without any problems. 

I rate Veracode's support engineers eight and their frontline support four. Their engineers are typically good and helpful. If I open a tech support ticket, I usually get a Veracode engineer. Those guys are good. I would rate their other support people poorly. 

Neutral

Veracode is straightforward to deploy. It's a general automated dev ops strategy. It's a responsibility shared among 20 to 30 people.

Veracode is a decent value, depending on what you're trying to achieve. It's pretty good for security flaws.

I rate Veracode six out of 10. I would recommend Veracode to others. The scanner is best in class, but the rest, not so much. 

We use Veracode for static and dynamic application security testing (SAST and DAST) on our web applications to ensure there are no vulnerabilities.

So, my use case for Veracode is pretty much for DAST and SAST protection. I'm a pen tester and DevSecOps engineer. I evaluate the vulnerabilities and mark them as false positives if needed. I also manually exploit them. If we're unable to understand something, we raise a ticket to the Veracode team and get consultancy from them.   

So we are developing an application named Euro Car Parts, Car Parts 4 Less. It is an application which consists of multiple car parts and vehicle parts and everything. We are dependent on Veracode for that application, so it is quite helpful. 

As threats are increasing day by day. There are new vulnerabilities that come up these days, and applications get compromised. Veracode quite helps us with the latest security configurations, OWASP standards, and SAST standards. So it is really helping us and improving our security posture with each upgrade, each scan.

It's robustness is the main benefit to the organization. As it gets upgraded with time, it also improves the coverage – security configuration coverages and vulnerability coverages. It also updates itself with the latest known vulnerabilities that are uploaded to the NVD, OWASP, or other databases. So it gets upgraded itself with that. And so with each upgrade, it gets better and better.

The solution offers the ability to prevent vulnerable code from going into production.

It provides us with a report containing multiple remediations and mitigations for each vulnerability. For example, if it finds a cross-site scripting vulnerability, it will also include references like CWE and CVE records, instructions on how to fix it, and the specific line of code or module where the vulnerability is present. This helps us fix the issues accordingly.

I'm a penetration tester and DevSecOps engineer. I evaluate the findings, mark false positives, and manually exploit vulnerabilities if they exist. If we need further clarification, we raise a ticket with the Veracode team and get consultancy from them.

We are a software development team. If we find a vulnerability, I exploit it and come back with the best possible mitigation, and the dev team fixes it. If we use Veracode Fix, it might use third-party implementations or make changes we aren't aware of. We need to be very aware of what our application is using internally. It should be known to us.

As per my experience, the solution's policy reporting ensures compliance with industry standards. It comes with multiple features. I get the most out of it, and it's good.

The solution provides visibility into application status at every phase of development. Like static analysis, dynamic analysis, software composition, and manual penetration tests - throughout the SDLC

We have a pipeline that I maintain. I use the Veracode API account and have integrated it with AWS and our Jenkins pipeline. We use Snyk for SCA and Veracode for SAST scanning. 

At the earliest stage of the build, the SAST scan runs along with the JS and PHP files. It provides us with reports, which are then handed over to the other tools we depend on. If I validate the report or check the Veracode dashboard and find vulnerabilities, I mark them as false positives or existing issues.

We work on multiple projects, but the one I'm handling these days only uses Veracode for SAST. It's been about one and a half years since I've been working with Veracode and this project. It is quite impressive. 

There are some things Veracode cannot find, like code obfuscations inside the code and some insecure randoms. Sometimes, it misses those flaws. But overall, if I compare it with other tools, it is better. I will definitely recommend others to use this tool.

We run the scan before each deployment. If the dev team builds a new module or something, we scan it along with all the files. If we find anything, we get it fixed. That's how it works.

Veracode is quite important to the organization's shift-left security strategy because we make a scan for each deployment. Sometimes, if I think we need to perform a shift-left, I just make a scan before deployment and check for any misconfiguration or vulnerability in the code.

Before deployment, we upload our JavaScript and PHP files to Veracode for static analysis. It returns a report with multiple vulnerabilities or security misconfigurations. We then correct them to ensure they don't exist on our production server.

The key point of Veracode is that it's an all-in-one solution. It has all the logs, features, and reports in one place. Compared to other tools where you need to access different platforms and modules to check results and scan reports, Veracode provides everything in a centralized location. That's what I like about Veracode.

There is room for improvement in Veracode's plugin, its API plugin. I think that API or we need to install some Java .jar file for that. This is the main challenge I have faced because it gets very hectic while integrating it with our pipelines. But it is working fine now. It is not a very big deal, but this area should be improved.

I have been one and a half years, like, 15 to 16 months.

It is a stable solution. The stability is good, so I would rate it a nine out of ten.

It is a scalable product. I would rate it a nine out of ten.

Each time I raise a ticket regarding something, they are very quick about the responses and get connected instantly, like, right after one day. They reply very fast.

So, the customer service and support are good. Last month, I had a call with two consultants regarding some vulnerabilities. There were some issues where code was reported as a cross-site scripting, but that was from a library we were using. I tried to exploit them manually, but it didn't reflect any cross-site scripting issues. They came back with the solution real quick. They just wanted us to remove an attribute we had used inside. We got that removed, and it got fixed. It is working fine now. So, no issues. It is quite fast. I don't have any complaints.

Positive

Earlier, I used tools like Snyk, Fortify, and Checkmarx. Each tool has its own pros and cons. 

Veracode is a bit slow compared to Snyk and other tools in the market. 

But the best thing about Veracode is that you can get everything in one place. You don't need to switch between different domains, tabs, or profiles. 

Everything you want is on the same spot, on the same page. So, it is very easy to compare and check things out.

There's no different approach because every tool runs a scan, gets back to us with reports, and we validate them. We get the mitigation, check the responses, and check the actual line of code or security misconfiguration that needs fixing. The approach remains the same. I will try to exploit it manually, determine if it is a false positive or an existing issue. Then we give a green flag, and it moves ahead to deployment.

The deployment is complex. There are multiple things we need to check before getting our application to deploy.

So, the setup's complexity could be improved or simplified, in my opinion.

The scan doesn't take that much time to complete. You just need to sync it with your application and the scan. You just need to make the configuration and use the API into AWS or Jenkins pipeline. So, it will take five to six hours to integrate, not more than that. But with the tests, to make sure that it is working fine with the deployment and all, it takes one day.

The solution doesn't require any maintenance; at least I didn't face anything. I just wait for the upgrade. It gets upgraded with the latest known vulnerabilities, and it gets better and improved. 

There are three teams on board: the dev team, another dev team, and the QA team. It consists of about eighteen people.

It saves us around 30% of the time.  It is worth the investment because security must be the first step when developing an application. You use someone's data, especially if you work with e-commerce, banking, health, or welfare applications. You need to be very aware and secure about it. 

Each user's data must be protected, and their privacy should not be compromised. So, it is very important to maintain the security configurations and ensure there are no vulnerabilities. I believe it is worth the investment.

It works quite well as per market standards. The other tools also charge the same, whether it's SAST or other security tools. They are quite similar.

I would recommend others to use it because it is very robust and has everything in one place. You don't need to move to any different apps or domains, or different platforms to get things done. You will get the mitigation, you will get the vulnerabilities, you will get everything at one place on the dashboard. So I will definitely recommend it. 

It is not as fast as Snyk, but it is scalable, and it has more coverage, I think, compared to Snyk because it gets back to us with vulnerabilities that Snyk cannot find. So, I will recommend it to my friends. 

Overall, I would rate it an eight out of ten. 

We use Veracode for static code analysis of our applications in two main ways: reactively and proactively. For the reactive approach, we run automatic scans nightly after developers merge changes from feature branches into the release branch. Proactively, we use the Veracode Greenlight plugin, which checks for vulnerabilities when developers try to commit code, even on feature branches, only allowing commits after passing these checks.

I appreciate Veracode's SAST and SCA features, which help to find open-source vulnerabilities. I'd estimate it's about 98% accurate, though some false positives occasionally exist. Our team has been using it for a long time. 

We sometimes use the free access to the tool's application security consulting team. We reach out to them when we've tried to change our code based on its recommendations but still can't achieve 100% green status. They help us fix issues in real-time through screen sharing and development work.

We saw the tool's benefits long ago when we first implemented it. Security is a top priority for us when working for a bank. We recognized the solution as one of the best tools in the market and decided to integrate it into our pipeline. We set up quality checks in our pipelines so that any code with high or critical vulnerabilities can't even be deployed to the development environment. This proved helpful for our team. Now, we have a quality gate that checks the Veracode status before any code goes into production. If Veracode scanning shows no vulnerabilities, the code can only be deployed to production. We strictly follow this process and have made Veracode an integral part of our Software Development Life Cycle approach.

Veracode has also helped us save time, especially with its proactive approach. The Greenlight plugin works directly in our IDE and is particularly helpful.

The solution should include monthly guidelines, a calendar, or a newsletter highlighting the top vulnerabilities and how to resolve them using Veracode. Its  policies should be up-to-date with NIST standards and OWASP policies.

I think if it could be enhanced with AI capabilities similar to Copilot, it could be even more beneficial in guiding developers and catching potential issues early in the development process. The solution should also come up with docker images. 

I have been using the product for six years. 

The product's support is good. 

Positive

The solution's deployment is easy. 

I rate the overall product an eight out of ten. 

In our company, we have various projects, and before beginning the development process, we utilize Veracode to scan the repository for any potential security issues. For instance, if we are using a third-party API or client dependency, such as a payment system, we require a third-party dependency. Once we have implemented this feature and scanned it using Veracode, any security vulnerabilities or code issues are highlighted. It is imperative that we resolve any Veracode issues to ensure our build is successful. To solve these issues, we may need to upgrade the version of our dependencies or investigate any security issues with the versions we are currently using.

The code is checked for any security issues, as well as any potential code issues or code smells that could cause major critical blockers. In this context, blockers have the highest priority, and if any are identified, they must be addressed urgently. The bugs or code smells are analyzed, and priority or severity is assigned accordingly. Dependencies used in the code are also checked for security issues.

Veracode's ability to prevent vulnerable code from being deployed into production is crucial. Typically, if a dependency we use has security issues or concerns, Veracode suggests upgrading to a more secure version. For example, if we're using a PayPal dependency with version 1.3 and it has a security bug, Veracode suggests upgrading to version 1.4 which fixes the issue. We usually make our project compatible with version 1.4, but sometimes Veracode recommends removing the dependent code altogether and adding the updated dependency from another repository. Veracode provides suggestions for resolving security issues and we implement them in our code after resolving any conflicts. We run the Veracode scan again and if it fails, we do not deploy the code to production. This is critical as it ensures that security issues such as bugs and fixes are addressed.

Veracode consistently assists us in identifying security issues in third-party dependencies, while also ensuring the maintenance of code quality. Preventing security bugs and threats in our code improves the overall code quality of our company, which is essential given the significant concerns surrounding security today.

Veracode's policy reporting is helpful for ensuring compliance with industry standards and regulations. Veracode's solution plays a major role in achieving compliance, including HIPAA compliance. Without Veracode scans, identifying security threats and third-party dependencies would be a tedious task for DevOps professionals.

Veracode provides visibility into the status of our application during every phase of development, including continuous integration and continuous development CI/CD pipeline stages. This includes builds, package creation for deployment, and various enrollment stages such as develop, queue, stage, above, and production enrollment. Prior to each stage, a Veracode scan is run. This can be accessed through Jenkins or the CI/CD pipeline by clicking on the Veracode scan option, which provides a detailed report highlighting any security issues and concerns.

Veracode performs statistical analysis, dynamic analysis, software composition analysis, and manual penetration tests throughout our software development life cycle. Veracode scans not only for third-party security issues but also for possible issues in our own code. This occurs in every phase of development, including the SDLC. For example, if we use an encryption algorithm with a private or public key that is easy to decode, Veracode will identify this as an error or warning in the report and suggest using multiple layers of encryption for the keys.

The entire CI/CD process is part of DevOps. Therefore, the responsibility of configuring the Veracode tool usually falls on the DevOps professional. It is essential to integrate Veracode with the CI/CD pipeline within the project to ensure it is always incorporated. Whenever there is a priority or mandatory check required before deployment, Veracode should run beforehand. This integration is carried out by our DevSecOps team.

Veracode's false positive rate is good, as it helps us identify possible security concerns in our code. In my opinion, it is advisable to run a Veracode scan on all codes. I have worked in the IT industry for five years, and I have observed that Veracode has been implemented in every project I have worked on. If a tool is improving our code quality and providing us with insights into potential security issues, it is always beneficial to use it.

The false positive rate boosts our developers' confidence in Veracode when addressing vulnerabilities. Veracode also provides suggestions when there is a security issue with a dependency in version 1.7, prompting us to consider using version 1.8, which does not have security issues. This process involves the developers, and it leaves a positive impression on our managers and clients, demonstrating our commitment to security. We can show them that we were previously using version 1.7 but updated to version 1.8 after identifying the security issue with Veracode's help. Unfortunately, there is no centralized platform to check for network issues or problems with dependencies and versions. Veracode provides a centralized solution where we can scan our project and receive results.

Veracode has helped our organization address flaws in our software and automation processes. Its positive impact has been reflected in our ROI, which increased when we started using Veracode. Without Veracode, we would be susceptible to security issues and potential hacking. However, after implementing Veracode scans, we have not encountered any such problems. It is critical for us to use Veracode because we capture sensitive data such as pharmacy information for real-time users, including patient prescriptions and refill schedules. This sensitive data could pose a significant problem if our code or software has security vulnerabilities. Fortunately, Veracode scans allow us to prevent such issues.

Veracode has helped our developers save time by providing a solution that eliminates the need to manually check for dependencies or search the internet for information on which dependencies have issues. Instead, Veracode provides a detailed report that identifies the issues and recommends the appropriate version to use. Using Veracode ensures the quality of our code and also saves time for our developers. In my career of five years, Veracode has helped me resolve code issues eight times.

Veracode has reduced our SecOps costs by identifying security vulnerabilities in our code. Without Veracode, if we were to go live with these issues, it could result in a breach of our encrypted data, potentially causing significant harm to our organization. This would require significant time and cost to resolve the issue and restore the data. Veracode has improved the quality of our code and reduced the risk of such incidents occurring, thereby minimizing their impact on our organization.

The most valuable feature is detecting security vulnerabilities in the project. This is especially important when choosing third-party dependencies since we may not be aware of any potential security concerns or issues in the code. Veracode can help identify security issues in third-party dependencies, including code fixes and bugs. By focusing on our own security issues, we can also address potential security issues in third-party dependencies. Before going into production, we typically conduct a record scan in each department to ensure security measures are in place. 

The scanning process for records could be faster and there is room for improvement in Veracode's performance. Currently, it takes around 25 to 30 minutes to scan a standard repository, even for a small one. This is not ideal, especially since we are using a microservice architecture with eight repositories. If each repository takes 25 minutes to scan, it would take a significant amount of time to scan all of them. Therefore, I would like to see some performance improvements in Veracode to reduce the time it takes to scan our code and generate detailed reports.

I have been using the solution for two years.

The solution is stable.

Veracode is scalable but the performance can be slow when running scans so the larger we scale the slower it can be.

The initial setup, including Veracode configuration, is straightforward. During setup, we only need to provide the repository path and specify the type of project, based on the chosen technology. We also need to indicate where the project dependencies are located, with prioritization for Java projects and placement in the NPMRC file for node.js or Java security projects. Overall, the process is simple and straightforward.

The implementation was completed in-house.

We have seen a return on investment.

I give the solution a nine out of ten.

All coders should have Veracode since it helps prevent security issues in applications, thereby safeguarding critical data. As we know, all applications contain sensitive information. If we only store some of our data online, we have to rely on applications that meet industry standards and compliance requirements. Veracode can help achieve these standards and compliance. To ensure this, Veracode must be set up to scan and integrate with the Jenkins CI/CD pipeline.

We capture the health and pharmacy data of users, so Veracode is deployed in various countries and running live. We have over ten million users.

We use Veracode to scan the applications.

Veracode's ability to prevent vulnerable code from entering the production environment is good.

Using Veracode's ASC team is easy. I can send them an email and arrange a call from the app. They were helpful when I had issues or questions about using the app.

Free access to the ASC team is a significant advantage because they possess in-depth knowledge of the product and are readily available for assistance.

It is innovative when it comes to features.

Veracode helps our organization with security scanning. We realized the benefit of Veracode as soon as it was deployed.

The policy reporting is valuable because it provides two key benefits: first, it generates a security score for our application. Second, it offers comprehensive reporting that details both the vulnerabilities found and the potential risks they pose to our application.

Veracode can provide visibility into application status at every phase of development.

It assists our application team in fixing flaws by identifying issues and guiding the team toward resolving them.

Veracode helps our developers save time by ensuring the code is secure.

Veracode helps us improve our overall security posture. When a Veracode report shows no vulnerabilities, it indicates a strong security position. This allows the security team to sign off on approvals more efficiently, as a clean Veracode report is a key factor in their evaluation process.

Veracode is a valuable tool for a shift-left security strategy. It helps save overall development time, money, and effort by identifying and resolving security vulnerabilities early in the development lifecycle.

I find Veracode's SASD feature to be the most beneficial because it enables us to proactively identify security vulnerabilities in our application code before deployment. This static analysis helps ensure a secure application rollout across all environments.

The scanning takes a lot of time to complete.

Veracode offers comprehensive visibility into application security throughout the development lifecycle. However, due to cost constraints, we are not currently utilizing all available analysis types.

I would like Veracode to introduce infrastructure as code scanning.

Instead of relying on emails, it would be beneficial if Veracode offered a built-in tool for logging and managing issue tickets.

Veracode sometimes performs maintenance without notifying clients in advance, which can cause disruption.

I have been using Veracode for two years.

For the most part, Veracode is stable but there are times when we have downtime due to maintenance that we are not informed of.

I would rate the scalability of Veracode nine out of ten.

Technical support has been great at fixing any issues I've had.

Positive

My client in the banking industry previously used Black Duck before switching to Veracode.

Veracode's end-to-end testing offers a significant advantage over other solutions by providing a comprehensive security solution. This includes capabilities for static analysis, dynamic scanning, and even penetration testing. However, the cost associated with dynamic scanning and penetration testing may deter some clients from utilizing these features.

I don't have firsthand knowledge of Veracode pricing, but based on client feedback, it seems to be expensive with additional fees for certain features.

I would rate Veracode eight out of ten.

Maintenance is performed by Veracode.

During a Veracode evaluation, consider the following factors: Evaluate the time required for Veracode to complete a scan. Faster scans allow for quicker feedback and integration into development workflows. Consider the overall cost of Veracode, including licensing fees and any associated charges for scans. Assess Veracode's orchestration tools, particularly its compatibility with your existing CI/CD pipeline. Ideally, Veracode should offer seamless integration for easy adoption. Evaluate the availability and variety of connectors Veracode offers for integration with your development tools. A wider range of connectors simplifies the integration process.

We use Veracode for static application security testing, dynamic testing, and software composition analysis. My company's engineering team has about 50 people who use Veracode across multiple product lines. 

The main benefit of Veracode is that we can deliver better, more secure software. Our customers also trust Veracode. When we share the Veracode report, they see that we have gone through all the due diligence.

Veracode aligns with SOC, ISO, and other types of certifications. It helps with compliance that Veracode has all these reporting formats. The solution provides visibility at every stage of development. We have automated almost everything through integration with Jenkins. As soon as the developer commits, it triggers the static scan for the main branches. We don't need to trigger the scan manually or do a follow-up to see if it's done scanning. 

The solution saves time by reporting issues and recommendations that help developers fix the reported vulnerabilities faster. I estimate that it improved developer productivity by about 10 percent.

Veracode has good support for microservices, and I also like the sandbox environment. For example, when introducing a new component, we can scan it in a sandbox environment. It will not impact the main environment. When our team fixes it, they. can push it to the production environment when the results are acceptable. 

The solution effectively prevents vulnerabilities from entering production. We've drastically reduced our third-party VAPT-reported issues. Before Veracode, the third-party VAPT analysis reported hundreds of issues per application. Now it's down to about 20, and Veracode can address most of them.

The interface is one thing I find a little challenging. Veracode's interface feels a little outdated compared to other solutions, and it could be modernized. I'm mostly happy with the features, but Veracode could add Docker image scanning. 

I have used Veracode for about six years.

Veracode seems stable. I don't recall facing any issues. 

Veracode is scalable.

I rate Veracode support eight out of 10. They are quite good at responding to issues. 

Positive

We tried AppScan and Snyk.  From an integration perspective, Snyk is a little better integrated with our pipelines and ticketing system. 

I can't recall the deployment well, but I think it was straightforward. Veracode requires no maintenance after deployment. 

I have not calculated the return on investment, but I think it's at least 200 percent. 

We aren't paying the listed price. We get some discounts, but we get a lot of value from it regardless of what we're paying. We look at the overall cost of what we would spend without a tool like Veracode. The longer you delay fixing security vulnerabilities, the more it will cost you during the later stages. By integrating it into the development cycle earlier, it helps to keep total costs lower.

We evaluated multiple scanning solutions before choosing Veracode, and we perform a mandatory comparative analysis annually. Veracode's scanning engine is more innovative and provides a more detailed analysis relative to Snyk and AppScan. It performs much better in terms of the number of issues discovered. 

I rate Veracode 10 out of 10. When implementing Veracode, you need to develop a workflow or a process. It becomes easier if you have that in place. For example, you can create a workflow where you scan inside the sandbox and approve those fixes before moving to production. 

Also, you should have separate people for raising issues, remediation, and approval. That way, you will have some control over which issues are mitigated and for what reason. That process flow has to be set up properly. Another aspect of successful implementation is automation. Your team needs to invest time in automating and embedding scanning in your pipelines. 

My company produces one of the most secure fabrics that you can find. Veracode is integrated into our development cycle through Jira. We do a full static analysis with Veracode and use Burp Suite to review the findings. The most common attack vector we find in Java code is SQL injection. When SQL injection shows up, you send a screenshot and a report to your executive team. They see the screenshot and say, "Oh, they're seeking injection here." 

This has now become a top priority. We're going to pause all these redundant features that we're making here and ensure our code is secure with no SQL injection vulnerabilities. Veracode finds everything, and the security engineers do the penetration test using the results. You provide a report showing where the issue is, and developers can fix it. We also use Veracode to train security engineers and teach them how to file reports.

My case is different from other individuals. I worked for a startup, so we had to find a way to capitalize on all the resources in Veracode. Larger organizations are not leveraging the built-in dashboard. That aspect is what people want to know about. They want to see how their money is being spent on security. The biggest problem with security is getting funding. None of these executives believe anything these users are saying until they can see the results.

They want that dashboard report. In less than three weeks, a junior security engineer can learn to create a dashboard easily that will allow the organization to stay on top of the most important things. They need to show the stakeholders that we're doing something here. They'll get the certification and see the dashboards. You now have something that's actually worth $2,000. With these other ones, who knows what you'll get. 

It allows us to provide a certificate showing stakeholders and potential customers the proof that we take security seriously. Everyone says that they're on top of their security and have all these things in place. In a sales call, we can immediately respond to any questions about our security posture by pointing them to a link showing that your company was among the few companies that completed the full certification process. Veracode has four levels of certification, and we are at level three, I believe. 

To my knowledge, Veracode is the only real devSecOps pipeline that captures every component of the software delivery cycle, from sandbox and staging to development and production. You need to go through those four phases and ensure the code is secure by the time it hits production. Veracode handles all those phases seamlessly and can be automated with Jenkins.

Veracode is highly efficient at fixing flaws. A single person can go through and do a penetration test after collecting the data from Veracode. Instead of telling developers where the issue is, they can show them in the code editor for the static analysis. They can assign tasks to the team using Jira, so developers almost never need to do that work. They actually almost never go back and fix any of these vulnerabilities. That's why I was my company's most hated and most loved man. I forced them to do it.

I like Veracode's API. You can put it into a simple bash script and run your own security testing from your MacBook in less than 15 minutes. Veracode's application security consulting team is very helpful. They're responsive and follow up quickly. 

Veracode would benefit greatly from more training resources. The videos are great, but I would like more hands-on training writing a script, validating a script with a unit test in a different language, etc. That's something that would be very valuable. 

We have used Veracode for more than four years.

Veracode is highly stable. It very rarely crashes. 

I rate Veracode support 10 out of 10. Their customer support is incredible. If I have any issues, I can immediately connect with their support team and have a real working solution within one week.

Positive

Deploying Veracode is easy. I had the best customer success manager at Veracode helping me. After deployment, Veracode requires little maintenance. 

Veracode is inexpensive and cost-effective. The licensing model is unambiguous. You know what you are getting. They also give you several seats for training. That's why it would benefit them to improve the training because more people could take advantage of it and use certifications. Some certifications for other products don't have much real value, but Veracode is a product many companies use, so it could help people get jobs.

If you're concerned about the cost, you should meet with a representative to talk about pricing. Veracode is flexible, and they're willing to let companies try the platform or test different features. They will work with companies to get to the point where they'll use it.

I used JFrog X-ray with homegrown scripts for testing the code. It was terrible. We chose Veracode because it is more scalable. We could run scans on any code, and it was reliable. Also, their documentation was up to date. With other software providers, you would find an issue in the documentation, and they would backtrack, saying, "Oh, no one's using that." 

Veracode immediately responds to the community. You have people in the community supporting each other and suggesting new features. Software providers say they're open to suggestions. Veracode will quickly get something from the community and immediately put it into development. JFrog has the same stuff as they did four years ago. They haven't changed anything. 

I rate Veracode 10 out of 10. Veracode is constantly changing and improving. 

My company is a financial and technical enterprise with involvement in healthcare as well. We use Veracode for scanning, utilizing both SAST and DAST approaches. The purpose of static testing is to assess our code for vulnerabilities before deployment. After completing this step and addressing any identified issues, we run dynamic application security testing on the applications we've created to ensure there are no vulnerabilities introduced after the build. These could be issues that arise during the execution of the code, rather than being inherent to the code itself.

Additionally, we are currently considering or in the process of transitioning to Veracode for a specific function known as Software Composition Analysis, which is among the services they offer.

In terms of my use cases, I oversee approximately 200 development teams managing around three to four hundred projects. About 30 percent of these projects are connected to Veracode. Moreover, I manage a user base of over 700 individuals, and many of our build pipelines include immediate SAST scanning during the building process.

We currently use Vericode Cloud, specifically the public cloud. At the moment, I am in the process of deploying two Veracode ISM management servers from their platform. These servers will be responsible for scanning our internal applications that are not exposed to the external world. One significant aspect is that our company decided to transition to the cloud approximately three years ago. Initially, we had 27 data centers scattered worldwide, but now we have reduced that number to five. By the end of this year, we plan to further decrease it to three, and eventually, we will likely have only one or two data centers in the future. However, there are certain things that we cannot migrate to the cloud.

Veracode's ability to prevent vulnerable code from being deployed into production is excellent. It is considered one of the best scanning tools available. We have conducted several comparisons between Veracode and other products in the market, and Veracode consistently ranks first among those we have tested.

With Veracode, the amount of vulnerable code that gets through is almost negligible. When we run a scan, we don't expect to find any significant vulnerabilities because the SAST usually catches almost everything.

Veracode's policy reporting for ensuring compliance with industry standards and regulations is excellent. It is applicable to us as a multinational company with PCI and HIPAA requirements, and we also engage in government projects. Consequently, we are obliged to adhere to any relevant regulations, which is why we have implemented numerous policies that automatically alert us when any action might potentially violate the established guidelines.

Although Veracode can offer visibility into the application's status at every phase of development, we do not rely on manual penetration testing because we have our own testing team. Instead, we use SAST from the moment our developers start typing the code until the deployment phase. 

The visibility has significantly expedited our DevSecOps process. Now that we've integrated Veracode and included it in our build pipelines, we can provide feedback on potential issues and vulnerabilities in their code much more quickly. Our team appreciates and is delighted with this improvement because, previously, we had to wait until the builds were completed, then run DAST and subsequently present them with ten pages of issues, which would take them ten to fifteen days to address. By adopting a left-shifting approach, we've moved the bar further to the left, reaching a point where we can hardly get closer than we are now while they are actively coding. The only way to provide them with even faster information about potential vulnerabilities in their code would be to offer feedback as they type and when they push the code to the main build. Unfortunately, as of now, there are no tools available that can accomplish this.

Veracode has been a great benefit because it allows developers to log in to their code and examine the specific vulnerabilities they were informed about. Typically, there is a description of why and how the vulnerability occurred, along with guidance on how to resolve it. Veracode significantly aids our organization in fixing flaws.

Veracode helps our developers save time. While I cannot provide a precise estimate of the actual time saved, I can explain that the more we shift the SAST to the left, meaning running it as soon as the developers enter their code, the more time we can save. This is because when developers have the code fresh in their minds, they have a better understanding of what they wrote and how to fix any vulnerabilities based on the provided descriptions. On the contrary, if we shift the SAST further to the right when the code is already completed and possibly being reviewed by a different developer, it will take more time for them to understand the original code and the vulnerability's context. Thus, the original developer could have fixed the vulnerability in a shorter period of time. Additionally, considering the learning curve for new developers down the line, it becomes even more crucial to have the original developer fix the vulnerability promptly. If we only run DAST without SAST, we might end up with a long list of ten thousand potential vulnerabilities, which would require weeks of work just to address them all sequentially from the start.

Veracode has had a significant impact on our organization's security posture. When I first arrived, we were only connected to about three different teams. Originally, we only had seven or eight teams. Now, we have almost two hundred teams. One of the most significant changes is that even with those seven or eight teams, only two or so were using Veracode. However, we gradually added more teams as they came on board. Subsequently, there was a major organizational change, and Teams were divided into smaller, more compact, and agile units, which is the new trend in the industry. As a result, the teams are now much smaller, more diverse, and more agile. We are now connected to 70 percent of the two hundred teams. We have expanded considerably, but there is still more to achieve. The efficiencies have improved significantly, and the developers are satisfied with this progress. This shift is excellent for security because we were usually known as the "no people," but now we are transforming into the "yes" and "let me help you with that" people.

Veracode has reduced the cost of our DevSecOps, just from the 25 percent time-saving. The most expensive factor is not computers or technology, but rather, it's people. If I were to add together all of the salaries of the individuals and compare the amount of time saved to the total salary cost, I could cover the expenses for my infrastructure twice over a year. 

The most valuable feature is the SAST capability and its integration into the Veracode pipelines.

From what we have seen of Veracode's SCA offering, it is just average. The SBOM is adequate, but it's essentially the same as what everyone else is doing. In terms of SCA, they are about average compared to other systems. Therefore, I would like to see some improvements. 

SAST, DAST, and SCA in a single pane of glass would be a good upgrade to Veracode.

We are a Jira and Confluence shop and I would like to have a really good integration with those tools. 

We have a ticketing system that not too many companies have ever heard of. In fact, I had never heard of it before coming here. Instead of using a well-known industry standard like ServiceNow, we use a ticketing system called Cherwell, which also has an open API. Having an API for the ticketing system would be really beneficial.

I would prefer if Veracode offered more options for licensing, such as a pipeline or project license instead of a user license. Currently, I have around seven hundred users, but I manage fewer projects. Therefore, I believe it would be more beneficial and efficient for me if Veracode could adopt a project-based pricing model. In reality, I have multiple teams working on various projects simultaneously. Pricing based on the number of projects I have up and running would be more suitable for my needs compared to the number of developers working on a particular project.

One thing that I would like to be able to do is to receive a daily summary of the emails I currently receive. With numerous ongoing projects, constant scanning occurs, resulting in a high volume of emails about what is being processed. I believe it would be helpful if Veracode could create a daily summary of these emails. This way, I can easily track the number of actual emails I receive without having to go through each one individually. As of now, I already have 65 emails from Veracode, specifically regarding the processes that ran today.

I have been using Veracode for three years.

I have almost never seen any downtime with Veracode.

The scalability is excellent because we utilize Veracode on their cloud infrastructure, and we handle dozens of projects daily.

I've never had a problem that didn't get solved, or at the very least, get immediate feedback. So, I would say their technical support is very good.

Positive

I previously utilized a solution provided by IBM in my previous organization, but later we transitioned to a company named WhiteHat Security. The reason for this switch was that when we conducted a scan using the IBM solution, it returned a result of ten thousand vulnerabilities. It was my responsibility to review the vulnerability report and clear out any false positives. However, this task was extremely time-consuming, taking nearly forty hours to complete. The reason behind the prolonged effort was the spidering scan performed by the IBM solution, which continually traversed different pages through various links, leading to repetitive errors that required matching and deduplication. Out of the ten thousand vulnerabilities, approximately a thousand were legitimate, and the scanning capability was limited to DAST. To address these challenges, we migrated to WhiteHat Security. With WhiteHat's scanning process, the number of vulnerabilities was reduced significantly to around six or seven hundred. Their approach outperformed my manual efforts in identifying duplicates and further eliminated non-duplicate vulnerabilities that were caused by the same piece of code.

When I joined my current company they were already using Veracode.

The initial setup was straightforward. We connected to the Veracode cloud, so essentially, we are operating on their public cloud. Whenever we run any process, we send our code to them. They execute it, and we receive feedback from the execution.

I have not been involved in the initial deployment of Veracode, but I have been involved in deploying the pipelines, creating and building out the ISMs, and also administering users. Recently, we moved and integrated it with our single sign-on. Since we're using Okta, we performed the integrations, and now everyone connects through Okta.

We utilized a value-added reseller, and they provided integrators themselves. Additionally, we have direct connections with Veracode. So, my understanding is that we likely received assistance from both the value-added reseller's team and Veracode.

We have monthly calls with Veracode. I work directly with engineers and have access to their email addresses and telephone numbers. This way, whenever there's a problem or an issue, I can easily reach out to someone. Additionally, I receive almost daily emails regarding recent developments and occurrences.

We have seen a return on investment. We have two hundred teams, and approximately 70 percent of them are integrated with Veracode, running pipeline scans on about 50 percent of those. The remaining teams conduct manual SAST scans instead of using pipeline scans. We have likely saved 25 percent or more of the time it takes developers to go from a startup project to the final build and deployment, just by addressing vulnerabilities.

We pay based on the number of developers working on a particular project.

Our organization evaluated four or five different solutions before selecting Veracode. The issue with the others was that they only offered either SAST or DAST, but not both, whereas Veracode provides both.

I would rate Veracode an eight out of ten. Veracode needs to improve its SCA capabilities to become a market leader rather than a market follower. Another noteworthy area they are starting to focus on is container security. I assume they will compete with Laceworks and other companies in that domain, which makes it worth keeping an eye on.

Veracode's software build of materials feature is integrated into the software composition analysis, which we are currently exploring for utilization. However, at this time, we are using a third-party product for that purpose.

Veracode's false positive rate is very low based on what we have found. However, there are instances where it becomes confused, identifying one type of vulnerability when it is actually a different type that appears similar. Nevertheless, we always conduct verifications before approving a list of vulnerabilities for the developers to address. We thoroughly go through and verify at least most of the different types to ensure their validity. My team verifies the false positives, so the developers almost never see them. Because we don't encounter many false positives, we don't spend a lot of time fine-tuning policies. We'll make some minor adjustments, and it should mostly resolve the issue until we encounter a different type of false positive. Then, we'll have to address it separately.

One of the other things that I have observed recently is a tool called Veracode Fix. We have not examined it yet, but it's worth considering. Normally, we avoid implementing too many automated fixes because sometimes they end up causing even more issues, particularly when dealing with legacy code while transitioning to Veracode. Allowing automation could potentially lead to the application being permanently shut down, especially in cases like Software Composition Analysis and Software Bill of Materials where we may need to upgrade to a different or less vulnerable, open source piece of code. If we upgrade without ensuring compatibility with our existing setup, it could break numerous things. Hence, we previously attempted to use automated fixes, but the outcome was negative, and we have decided never to repeat that mistake. Therefore, it's something we plan to explore, but we need to ascertain if there have been any changes in that type of setup.

For someone who wants to use Veracode but is concerned about the cost, the amount of time saved, especially on the SAST side of things, makes it worthwhile.

We are a multi-cloud organization primarily using AWS, with 25 percent of our infrastructure on Azure and a smaller portion on Google Cloud. We are currently using Google services only because we are a Google shop rather than a Microsoft Office shop. As a result, all of our emails are managed through Google, and we rely on Google Docs and other related tools. 

There are four architects and a group of DevSecOps professionals who work directly with the development and operations teams. They form the security component of the organization and are responsible for operating Veracode on a daily basis. Their primary role is to assist the developers in integrating Veracode into their workflows, setting up pipelines, and collaborating with them when vulnerabilities are identified. They are available to help the developers understand why they received a vulnerability and guide them on how to address and eliminate it.

The only maintenance we will have to deal with is related to the ISM servers. These ISM servers are actually controlled by our company. There is an on-prem link to the Veracode cloud. When they conduct their scan, they access the server, which acts as a jump box. This enables them to scan our internal applications that do not have direct access to the outside world.

Veracode is a good Dynamic Application Security Testing tool, but it excels as an outstanding Static Application Security Testing solution for organizations that prioritize serious security measures.