Veracode Reviews

We use Veracode for static code analysis, dynamic code analysis, and software composition analysis. In our organization, we have a bunch of applications that are running on a monorepo or microservice level. We have to do SAST on those applications so that we have a code review done on a bit level. 

Going forward through the application pipeline, we do it on the dynamic level, as well, where we are scanning the public URLs of those applications to see what people can see externally. It's a type of out-to-in scanning in which we are analyzing the traffic that is sent out and even the traffic that is coming in, the response and request headers of the URLs, whenever someone is at a single URL. 

Finally, for the software composition, Veracode uses a third-party analysis tool in which it has the libraries and the functions that are being used at a source code level. They are open source or dependent files that are used for building that in-house application.

As a company, we have moved from using contractors and third-party consulting companies to creating our software through more of an in-house model. We are moving more into the DevOps realm with more of our own teams developing our software. Veracode fits that DevSecOps ideology. It is definitely helping us build more secure software than we previously had.

We have a bunch of applications into which we have integrated Veracode and we have seen that, in the final phase of production delivery, there are fewer vulnerabilities than we used to have.

And because Veracode has remediation and tracking within the platform, it becomes a good single pane of glass where the developers and the security professionals can operate and govern the flaws in the software. And they can take the necessary steps to remediate them.

In the metrics that we generate every month, we have seen the numbers go up with respect to remediation as well as the number of flaws that we catch. The word is spreading, and more and more application teams are using the static code analysis tool inside their pipelines. Overall, we are moving from reactive mode to proactive mode in remediating vulnerabilities through Veracode.

Veracode also helps our developers save time, in the big picture, compared to a situation without Veracode. Let's say there is an application on which no static analysis was done and the audit team says, "Hey, you don't have any static code analysis in your pipelines. You need to do something about that." They could scan the code that is already running in production and find flaws, but those flaws would take a lot more effort, time, and resources to mitigate compared to if they had been detected in a static analysis prior to the code going into production. In that way, it has definitely saved time. But if we are talking about short-term planning for sprints, it takes a little more time than usual because security is coming into the picture, as well. But overall, it helps save time.

Our security posture has gotten better since 2020. It takes time to do the integration of the platform and educate people about how to use Veracode, and then move on to remediating and validating things. But the journey that we had with Veracode has definitely helped us a lot, overall, with respect to bettering our security posture.

The static analysis is the most valuable aspect for us.

It also has the ability to block a build. In pipeline scanning, there is a configuration that can be set with respect to the security level of the flaw. If there is a high or a critical issue, there's a way the build can be failed and blocked before going into production. But the best case that I have found for blocking builds is in the staging area. You don't really want any blocking done on the production environment because there are business SLAs that the enterprise has to fulfill. The best case would be blocking the builds in the staging phase, the pre-production environment, so that everything is taken care of before it is pushed to production.

There are three integration points for Veracode. One is the IDE plugin. Whenever a developer is writing code on their IDE platform plugin for Veracode—whether IntelliJ or Visual Studio, et cetera—it tells them if that piece of code has any vulnerabilities and if there is a better way to write the code.

The next point is the pipeline integration in which, whenever a build is getting pushed from a standalone branch to the main branch, a scan is done on that commit to see if there are any vulnerabilities.

Finally, when the build is published with the whole module, it can do another scan, as well. These three scans have their own pros and cons. The policy scan, which is a build scan, does the scanning on an overall basis with regard to the different standards out there, like OS and Spin5. It scans the first-party and third-party code, which is the most holistic scan that there can be. But the point is that it scans at three different integration points or stages, so it helps developers to remediate their vulnerabilities before they have moved far in the pipeline. Shift-left is definitely possible through Veracode.

Veracode's false positive rate is a little toward the higher side. We understand that Veracode doesn't have the business context. I advocate that people look at their code, even though there is a vulnerability, to see exactly what it is. For example, a randomize function is being used to create an ID that is not being hashed. Veracode marks it as a false positive because it doesn't know if the ID is being used for cookie generation or some random ID in the log generator. We, as dev or sec people, have to go in there and analyze what the ID is being used for. But the false positive rate is definitely a little bit on the higher side.

The effect of the false positive rate on developers' confidence in the solution depends on the maturity level of that particular application team with respect to learning Veracode. In the initial stages, obviously, when developers see that, whenever they're writing code or pushing a build, there are a bunch of vulnerabilities, it may affect their confidence. But a couple of months or a couple of quarters down the line, when those same developers have already used Veracode and have raised their maturity level from one to at least three, it doesn't really affect them because they know that they have to go in there and check the vulnerabilities for themselves to determine if it's a false positive or a real vulnerability.

It has definitely taken a little more time to validate the false positives, but I would say there are a lot of true positives, as well, which have been remediated and which have been mitigated for the betterment of the security posture. But it has definitely taken a little more time to mark or validate those positives. Hence, I definitely advocate that people shift a little more to the left. They should do ID and pipeline scanning before they hit policy scanning because, with ID and pipeline scanning, you scan small chunks of code. You remediate that code faster, before it goes to the whole package and there's a bunch that you have to deal with.

Also, container security is slowly becoming a prevalent part of the development realm. Veracode's SAST, DAST, and SCA are pretty good with respect to industry standards, but with regard to container security, they are in either beta or alpha testing. They need to get that particular feature up and running so that they take care of the container security part.

In addition, there is a new concept out there, the IAST, which is interactive assessment security testing. It is a little more proactive than SAST. So if Veracode can combine that feature with their current technology, they would definitely be a front-runner again for the next five to six years.

I've been using Veracode for the last three and a half years.

Once or twice a month there is maintenance on the Veracode side because they're updating some signature in their database or something else. I have seen maintenance coming up, but it's not an issue because the pipelines and integrations that we are running keep on running in the background. It's just the GUI that we are not able to access at that particular time.

It's pretty scalable if our enterprise has the licenses for scaling the applications. I haven't faced any issues with regard to scalability, apart from licensing, of course.

We have contacted Veracode's tech support a bunch of times. The only downside is the time needed to schedule a consultation call with the pro services team, keeping in mind that enterprises need to buy pro services licenses before they can use it.

When someone is scheduling a meeting with them, the issue type should be as precise as possible. In that way, they can rope in the exact SME for that particular topic, because in the development realm there are so many languages and so many types of issues out there. There are different personnel for each of those categories. So the more precise the details are for the meeting, the better the SME will be for that particular consultation.

Positive

We have only used Veracode, right from the start.

The initial setup was pretty straightforward. They have a SaaS solution and there are a bunch of API integrations that made it pretty straightforward.

As for maintenance, all the upgrades and updates are done on Veracode's side. But there is a wrapper. When we are doing the integration, there is a package that we use to upload the files in Veracode. Sometimes there is a new release for that package and we have to update it in the GitLab repo. That's the only maintenance we need to do.

They have made it worth the price with the kind of discount and the kinds of modifications they made for us with regard to licensing. Previously, it was per profile. But they have adjusted according to our requirements because we are a big company and we handle a lot of applications. There's a tiered discount that they have provided us, so the cost is justified.

If someone looking at Veracode is concerned about the price, it depends on their requirements. I wouldn't really recommend Veracode for a small firm, because it might be a little pricey for them. But for a large organization, with more than 1,000 applications in the enterprise, there are tiered levels of pricing. Obviously, there are other cutting-edge solutions that have become available recently, but Veracode is something that a big organization should look at.

When it comes to managing risks, we use the remediation feature that Veracode has. Whenever there is a flaw, we do have tickets open up for it and the application owner or the developer goes through the vulnerabilities. There are times when the vulnerability is a false positive and you can mark it as such within the Veracode platform itself. And we, as security professionals, do the validation for whether the business justification is good or not. And we either have a source code review for the vulnerability or have an exception open up for the remediation step that the application or the owner is asking for. We do risks via the platform, as well as through the ticketing tool that we use.

We are also using SBOM (Software Bill of Materials) for inventing all the different kinds of modules and libraries that we are using for an application. Using the SBOM feature, you would have to leverage the API to get the inventory from the API calls that Veracode has. But in our organization, we use the GUI report generation more than the SBOM report because there is an executive summary in the GUI report with regard to first-party and third-party flaws. It also has the mitigation steps. SBOM would only give you the list of softwares, libraries, and versions that are being used. It is not as detailed as the GUI report that Veracode provides.

Things to consider when looking at Veracode include the different integration points where you want to integrate Veracode, how big your organization is, and how many applications you want to do security analysis on. If it's a big organization, Veracode is obviously a solution to evaluate, but for a small organization, below 500 apps, it might be a little pricey. Also, you will need a couple of Veracode champions on your team who know it inside out. You will need training provided by Veracode, so make sure that is included during the procurement stage. That will help you implement the tool within your organization faster and much more efficiently.

I would have given Veracode a nine out of 10 a couple of years back, but given the tools that are coming out on the market, and the scope of development, which is increasing, I would place it at eight.

We use Veracode for static code analysis of our applications in two main ways: reactively and proactively. For the reactive approach, we run automatic scans nightly after developers merge changes from feature branches into the release branch. Proactively, we use the Veracode Greenlight plugin, which checks for vulnerabilities when developers try to commit code, even on feature branches, only allowing commits after passing these checks.

I appreciate Veracode's SAST and SCA features, which help to find open-source vulnerabilities. I'd estimate it's about 98% accurate, though some false positives occasionally exist. Our team has been using it for a long time. 

We sometimes use the free access to the tool's application security consulting team. We reach out to them when we've tried to change our code based on its recommendations but still can't achieve 100% green status. They help us fix issues in real-time through screen sharing and development work.

We saw the tool's benefits long ago when we first implemented it. Security is a top priority for us when working for a bank. We recognized the solution as one of the best tools in the market and decided to integrate it into our pipeline. We set up quality checks in our pipelines so that any code with high or critical vulnerabilities can't even be deployed to the development environment. This proved helpful for our team. Now, we have a quality gate that checks the Veracode status before any code goes into production. If Veracode scanning shows no vulnerabilities, the code can only be deployed to production. We strictly follow this process and have made Veracode an integral part of our Software Development Life Cycle approach.

Veracode has also helped us save time, especially with its proactive approach. The Greenlight plugin works directly in our IDE and is particularly helpful.

The solution should include monthly guidelines, a calendar, or a newsletter highlighting the top vulnerabilities and how to resolve them using Veracode. Its  policies should be up-to-date with NIST standards and OWASP policies.

I think if it could be enhanced with AI capabilities similar to Copilot, it could be even more beneficial in guiding developers and catching potential issues early in the development process. The solution should also come up with docker images. 

I have been using the product for six years. 

The product's support is good. 

Positive

The solution's deployment is easy. 

I rate the overall product an eight out of ten. 

We have some applications that connect to external providers or provide external services that users can access from the public internet. We are uploading these applications to Veracode to assess the security threats that our code may pose.

Veracode's analytical capabilities are very good, but I'm not sure if they have prevented security vulnerabilities from going into production in our case because we haven't been using them optimally. We're now working on integrating them into our development pipeline so that we can test applications before they're released. This will also allow us to familiarize ourselves with the sandboxes during development. I believe that if we start using Veracode correctly, it will be very beneficial in preventing security vulnerabilities from going live.

The main benefit of Veracode is the software composition analysis because it helped us identify that we were using some libraries with security flaws. This is important because the individual software components are owned by different smaller teams, and all of those teams contribute to one overall large application. Therefore, there is no single person who would be able to take care of all of the third-party libraries that we are using. Veracode analyzing the libraries that we use is therefore beneficial to us.

Veracode's policy reporting for insurance compliance depends on how our organization uses it. I'm not sure if we're using it to the best of our ability because, for example, I discovered that there is a central space where we can run analysis and sandboxes. Based on what the Veracode expert I spoke to told me, policies should be reported from the danger space, but in our organization, we're reporting them from the Prod CI sandbox. This doesn't seem to be a good solution because the overall application is displayed on the main page, which doesn't reflect what our compliance teams think about our applications. Besides that, I think it comes down to how we're using Veracode within our firm. Overall, I think it's great that the firm can configure certain policies to monitor applications, and the flaw report also enables us to see the flaws that need to be fixed to become compliant, which is a good feature. From Veracode's perspective, everything looks fine.

Over the past year, we discovered a severe security flaw in Lot 4j 1.2.15. We initially believed that this version had been replaced with a newer version that does not have the flaw, but our software composition analysis reports revealed that this is not the case. We still have a few binaries that depend on Lot 4j 1.2.15, which is vulnerable. The software composition analysis results prompted us to schedule a replacement with a new version, which is currently underway.

Veracode has helped us fix flaws effectively. Our security teams enforce monitoring and fix deadlines for reported flaws. If a reported flaw cannot be accepted as a false positive, we must fix it promptly to maintain a high success rate.

Veracode has improved our security posture and will continue to do so as we learn to use the solution more effectively.

I like the way the flaws are reported in the system. It is quite clearly visible where the flaw is coming from, and it is possible to upload the code to see exactly which line was identified as a security threat. I also like the software composition analysis that Veracode provides, because we can see third-party libraries that are used in our software and check if there are any known security flaws in those libraries.

There are many false positives, especially one particular type: reported hard-coded passwords in the code. We do not have hard-coded passwords in our code, but we are using third-party libraries that have variables with passwords in their names. For example, a variable might be named "passwordForCommonFixFile" or "passwordForSecurityStore." Veracode's keyword analysis probably assesses these variables as hard-coded passwords. This is problematic because the false positives are coming from third-party libraries, and we cannot easily check the flaws to see if they are false positives. To fix the problem, we have to compile the code, which we should not have to do. We are forced to accept the false positives because we know from the software and system design that there cannot be hard-coded passwords in the third-party libraries we are using. If the libraries were generic, then there would be no chance that they would have hard-coded passwords for the specific services that we are connecting to. To reschedule the scan, we have to go through some bureaucracy. 

Despite the presence of many false positives, we remain confident in Veracode. However, the impact on developer confidence is negative, as it leads to resistance to enforcing certain development processes, including the use of Veracode in the development pipeline. This is understandable, given the complexity of the process required to reschedule the flaw for a single false positive. This process requires approval from the system owner, a senior manager, and the cybersecurity team.

Veracode has increased the work time of our developers because of the false positives.

The area with the most room for improvement is the speed and responsiveness of the query, as it is usually very slow. I am not sure if there is a specific space allocated for us that can cause this, but when I open an application and want to click through multiple scans to see the differences, or if I want to do anything else, everything loads very slowly. This makes it much less user-friendly to play around with the GUI and explore the features.

I have been using Veracode for three months.

Veracode is stable but a bit slow.

I have only one experience with Veracode support, but it was very positive. I used the schedule consultation feature in the GUI, which was very useful. We had some questions about how to correctly upload a code, and I was able to schedule a call with a Veracode expert. The support person who helped me provided me with many insights, answered all of my questions, and even went beyond what I asked to explain how to use the feature and improve our process.

Positive

The initial deployment is complex because our system is huge, consisting of hundreds of different binaries. Dozens of teams contribute to the releases, and as a result, a large number of changes are deployed at the same time. This makes it very easy to break something, and there are many people involved in the process.

The deployment required a core team of five, with some additional people on hand to support if anything went wrong. The maximum time for deployment was one day.

I give Veracode a seven out of ten due to the slow speed and the false positives.

We only use Veracode for static analysis. We do not use the other features at all.

We have infrastructure deployed in multiple locations around the world. In my team, 50 people use Veracode. Across the entire organization, it is used by hundreds, if not thousands, of users.

I advise everyone to use Veracode in their development pipelines, so that scans can run very frequently, at least once during each nightly build. This will ensure that reports and flaws are addressed effectively. From my development perspective, I recommend against enforcing specific rules on using Veracode, giving deadlines to fix flaws, or introducing additional bureaucracy. This can worsen the developer experience and lead to developers finding ways to avoid having flaws reported, such as by decreasing the frequency of scans. In my opinion, the more processes and bureaucracy we add, the less useful Veracode will be. 

We're a blockchain-focused company specializing in data, visualization of finance applications. So our main motivation was to use the solution for the defense of finance applications. 

We use it for security and the integrity of data. It helps us with the dynamic analysis of code to help prevent potential exploits. We are able to check for vulnerabilities before and after our products have been published. It's a very secure and reliable solution. 

It's helped us with organizational success by increasing our security success. It's helping us to optimize performance and enhance efficiency. The user experience has been very good. It's helped us to streamline our CI/CD pipeline. It's also helped provide our team with actionable insights. It helps us deliver a robust, efficient, high-performance product.

It's good at identifying security issues. It can pinpoint issues very effectively. 

The solution helps us build and maintain trust between users and partners.

It's specifically designed to be customizable. We can maintain robust and secure code.

We can easily identify vulnerabilities. Many others, like Microsoft, aren't able to catch certain vulnerabilities. This is much more effective.

I use a variety of features in the solution. Many can be integrated with various software tools. There are good scanning capabilities and data analysis features as well. 

We use the software bill of materials feature. It helps us manage our risks. We've seen dramatic changes in our risk posture. The detection of security incidents has increased.  We also have noted a faster time to market for our features by 40%. 

The compliance reporting has been very good. It's very easy. We can do it within a couple of hours. It helps us stay in compliance with standards and regulations. 

The visibility and transparency we get through static analysis, dynamic analysis, software composition, analysis, and manual penetration testing through our SDRC are excellent.

The false positive rate is very low. Using this platform, we spend way less time performing investigations. It helps improve our employee's confidence rate in managing the static analysis. We're saving about 50% of our time now that we have fewer false positives.

We are able to efficiently fix flaws. We've mitigated potential vulnerabilities by 50% and reduced incidents by 30%.

It's helped us save time. Most tasks are done with much less time needed.

After implementing the solution, we've seen a much better security posture. The security incidents and associated costs have lowered substantially. 

I'd reduced the cost of DevSecOps in our company by 40% to 50%.

There are various areas that could be improved, including better integration. 

The false positives can be lowered. 

The interface is too complex. The UI needs to be improved. They need to make the learning curve lower. They should include more guidance in terms of usage.

The cost is high for smaller organizations. 

I've been using the solution for six weeks.

It's a very stable solution. I'd rate the stability eight out of ten.

We have not had any issues with scaling. It has a good amount of scalability for enterprises. It appropriately accommodates growing code. 

The technical support is good. They have helped us a lot and their technicians are very knowledgeable. They are responsive and adaptable to our specific needs. They are committed to maintaining high standards. 

Positive

I used to use Fortify before using Veracode. 

Veracode is more mature in its scanning features. It also has better security. It's very easy to use and has good cloud elements. The SaaS model is better as well. It has bigger advantages for a smaller company looking for a more straightforward deployment. The framework and programming language are far better in Veracode compared to Fortify.

The deployment, if it's straightforward, takes around three to four hours. We had two to three people setting up the solution. You would not need more than that. The deployment was pretty straightforward and easy. The implementation process was exceptionally positive. 

They do have dedicated professionals who demonstrate a deep understanding of unique challenges. 

We have witnessed an ROI. We've noted a reduction in incidents, for example, and our company has witnessed a 20% growth in the time we have used it.

There is no maintenance required.  

The pricing is okay for us, however, it can be high for others. it can cost more than $1000 per application which can be a lot for smaller companies. However, it is cheaper than Fortify. While it could be cheaper, it is worth the price. 

I'm a customer.

While the pricing is high, it can improve a company's ROI.

It excels in providing robust vulnerability testing. It's great for app or web development, among other uses. Users need to make the most out of the product by taking advantage of their service and support.

I'd rate the solution nine out of ten. 

In my previous company, we had a healthcare app. We used Veracode to run a spontaneous static analysis as well as dynamic analysis, to resolve our vulnerabilities. We were releasing versions every month. Each month we were looking at the results of Veracode and fixing the problems.

It helps fix a lot of flaws and bugs. As a developer, you look at things with a different perspective with the Veracode results. You can see that certain things can be implemented in another way, how they can be more secure. As a result, it helps improve your level of understanding and decrease the number of production issues.

Using Veracode, it was very interesting to see the difference when I compared things over a three-month timeline. During the initial three months, when I started using Veracode, I found the percentage rate of flaws was around 60 to 70 percent in the entire file we were uploading. After using Veracode over the next three months, our score decreased to a 30 to 40 percent flaw rate. We were able to do our quarterly development in a very secure way.

For example, we recently encountered a flaw that might be exploited. We implemented a function to store passwords that were encrypted. That functionality was written in a pretty vulnerable manner. By looking at the code, we could see, "Okay, this might be exploited." But when Veracode pointed out multiple times, "This might be vulnerable," and "This might be vulnerable," it helped us improve our developer standards. It gave us a brief idea of how this particular code implementation could be improved.

There is also a feature called Veracode Pipeline Scan which provides instantaneous feedback. That was a major addition to our process and has worked out very well. Developers get instant feedback about their flaws, making them easy to fix while in pre-production. That is one of the major boosts that we have implemented. It enables our developers to fix things in parallel, and that has saved time, about 20 to 25 percent, and resulted in better coding. As a security guy, I can see the differences between the initial processes and the processes we have six to eight months after implementing Veracode Pipeline Scan and Veracode in general. 

Overall, it has reduced the time that we used to spend working manually to pinpoint the issues that we found. Veracode makes it an automated process. Also, we can use it in parallel. If Veracode is the main "hub," we can have "sub-hubs" such as static analysis and Veracode Pipeline Scans. Both can be done simultaneously, reducing the manpower required by a lot, and providing correct results. And it has improved our understanding of the different kinds of flaws and vulnerabilities that are in the report. Veracode, as a tool, has made things better.

In terms of security posture, when I had just joined my previous organization, there was a meeting about client feedback. Initially, their comments were that things were not very stable. They said it was easy to steal data. After using Veracode, and as our developers adapted the tool and developed secure code, the client's feedback was that things were pretty stable and good. At first, the feedback was very ruthless. We were not up to security standards. But once we started using Veracode, it became the main pillar of our security. We overcame certain challenges and the client feedback was pretty good.

It yields around 90 percent accurate results. It pinpoints the errors. Its accuracy is very interesting. It also elaborates on flaws, meaning it provides you with details about what is valid or not and how something can be fixed.

Another valuable feature is in the dynamic analysis, which provides information on which libraries are outdated so that we can improve them and get them up to date. We found a lot of outdated libraries in use in our organization. As a result, it has improved our stability. The software composition analysis keeps you updated on each kind of data it reports on, including libraries and third-party DLLs.

There is a sandbox limit of 10 so any company using Veracode needs to plan for only having those 10 sandboxes. If they increased that to 25 or 30, the scan time would decrease and the results should be more effective.

There is also a size limit of 100 MB so we cannot upload files that are larger than that. That could be improved. 

Also, the duration of the scan is a bit too long.

I used Veracode in my previous company but recently changed to a new company. Overall, I have used it for around 1.5 years.

Its stability is fine. On a scale of one to 10, I would give it a seven for stability.

It's a scalable solution.

We have it implemented in two offices, the main office in the US and a single office in India. There are only 10 to 12 people using it in our organization, meaning in India. I am not aware of how many users there are in the US.

Their support team needs to respond in less time. It takes a lot of time for them to respond. When we reach out, we are waiting, most of the time, for two or three weeks to get a reply from them. That is the one major piece of feedback I have for Veracode.

Their technical support is very good, except for the response time. When we are stuck with something technical, they explain how to use it in multiple ways. They are supportive and that is pretty good.

Neutral

We were using a couple of other tools along with Veracode. One was SonarQube and the other was Acunetix.

The false positive rate is pretty low. When I started using Veracode, there were a lot of false positives, but that number became notably smaller. There are some false positives because new types of flaws are generated for each new version.

Initially, in general, whenever you see any kind of false positives or true negatives, it reduces your confidence. But whenever the reports are generated by Veracode, as developers we can understand that they show certain patterns of what might be a false positive. So we get an idea that this kind of a flaw might be a false positive while this kind might not be a false positive. We get clarity about the reports sent by Veracode. At a certain point, we might be sure that we can explain all the false positive data to management so that they can look into them and understand: If this kind of data or this kind of code flaw comes up, it is a false positive. We can easily associate these scenarios with false positives because they are normal and common.

During the initial phase, false positives affect our time because we can't deduce any conclusions. Static analysis is the kind of process in which you will encounter false positives in certain cases. But after a couple of implementations of machine learning, the results should be pretty accurate and the false positives should decrease.

Preventive maintenance is critical. Per my experience with Veracode, there are certain maintenance issues, but they are the normal types of things.

I would highly recommend Veracode, but initially, don't do a deep dive into the tool. Take a couple of licenses to start adapting to the tool and work out how it works and whether it's suitable for your development processes and developers, and get their feedback. I highly recommend it because it's a real time-saver, provides stability, and improves your organization's productivity.

We use it primarily for our application security concerns. We use the dynamic, static, and SCA scanning tools. We run our static scans after the code is compiled, and that gets uploaded automatically through our DevOps tool. We have installed an agent in one of our cloud servers that is behind a firewall to run the dynamic scan against the runtime. We run our SCA scans when we do the static scans, which is after compilation.

Prior to using Veracode, we hadn't really looked into security features or thought about security in the same way that we have since we started using Veracode. We were focused on what you hear about in the news, such as making sure that it is HTTPS secured. We hadn't really dug into the nitty gritty of application security and scanning our source code, running it against a runtime environment, and looking at the actual third-party solutions that we integrate or use in our code. Veracode has helped with our mindset as an organization to start thinking about things more securely by design rather than as a reactive measure. We're being more proactive with security.

Veracode's integration with our continuous integration solution is what I've found to be the most valuable feature. It is easy to connect the two and to run scans in an automated way without needing as much manual intervention.

We feel very confident about Veracode's ability to prevent vulnerable code from going into production. Having the stamp of approval helps not only from a marketability standpoint but also from an overall good feeling within the organization that we're doing our part to help keep our code free from vulnerabilities.

This solution provides visibility into application status at every phase of development. It goes from compiling the code all the way to running it in production. It covers all major aspects of the SDLC. We run static scans and SCA scans early on in the process to make sure that we catch any code that is insecure by design. If we are able to catch it earlier on, before it's actually out in the production environment, it reduces costs. The dynamic scans are run further along in our QA process. That is, once we've deployed the code and have it in a runtime environment, we run weekly scans in a dynamic environment against the code runtime to make sure that there aren't any new vulnerabilities that got introduced. We are looking at doing manual penetration testing in 2023, where we would be using a spinoff of the code that was released to the customers to make sure that there aren't any holes through which a nefarious actor could get in and exploit what was built.

Veracode's false-positive rate is low. The few instances when it looked like there were false positives, the issues were found to be either true vulnerabilities or things that were that way by design. If a developer thought that there would be a ton of false positives when using the tool, it would then diminish the value of actually using the tool. Veracode touts itself as being a tool with the lowest false-positive rate in the market. It gives inherent confidence in the tool itself, and developers are more inclined to think that if it found something, it's pretty likely that it is not a false positive. They would then work to prove it wrong rather than discounting it without even looking into it.

We haven't really found many false positives with static analysis, and there hasn't been a significant impact on our time and cost related to tuning, leveraging data, and machine learning.

Continuous integration linking definitely saves a lot of time because it takes away the step where a developer needs to manually upload the code every time to do a scan. It can run in the background, and having the Visual Studio plugin includes it directly in the development environment. If developers do get assigned a bug that they need to fix, they can pull it right up in their development environment and not have to log in to the portal. It will all be right there.

I'm primarily the one who has been involved in DevSecOps, and Veracode has definitely reduced my time. If we had gone with a conglomeration of open-source tools, it would've taken me a ton more time. Whereas with Veracode, all the documentation is out there, and I'm able to integrate everything that I need from a usability standpoint. I don't have to learn a new tool every time I need to integrate a new security scanning option. It has helped me tremendously and has saved me a lot of time.

I do expect large applications with millions of lines of code to take a while, but it would be nice if there was a possibility to be able to have a baseline initial scan. I know that Veracode touts that there are Pipeline Scans that are supposed to take 90 seconds or less, and we've tried to do that ourselves with our ERP application. However, it actually times out after two hours of scanning.

If the static scan itself or another option to run a lower tier scan can be integrated earlier on into our SDLC, it would be great. Right now, it takes so long that we usually leave it till a bit later in the cycle, whereas if it ran faster, we could push it to the time when a developer will be checking in code. That would make us feel a lot more confident that we'd be able to catch things almost instantaneously.

I've been using Veracode for a little over a year now.

I haven't had any stability issues, bugs, or glitches.

The scalability is really good. I recently added to the solution some new applications that I learned about late in the game. There were probably 10 that I had to add in rapid succession and scan as well. It was very quick and painless.

Veracode's technical support is very responsive, and I've heard back within 24 hours regarding a couple of issues I've entered. We have actual consulting calls, which are a scheduled event, and I like the way they handle those as well. I have nothing but good things to say about them and give them a rating of ten out of ten.

Positive

I was involved with the initial setup of Veracode, and it was straightforward. We had a third-party vendor who was evaluating it, so a little bit of the setup was done. However, adding a new application to the tool is easy and self-explanatory. It doesn't take much time at all, and the documentation is out there if we need to look up anything.

We implemented it with the help of a third-party vendor. They had two people on their team who were working on the deployment along with me. My responsibilities included adding all of our software to the tool to run scans against it, integrating it with our DevOps solution, discussing the tool itself with internal stakeholders as to how they can use it and showing programmers how to use the tool from an internal adoption standpoint.

I know that Veracode is a semi-pricey solution. If you are serious about security, I would recommend that you use an open-source option to learn how the scanning process works and then look into Veracode if you want to really step up your game and have an all-in-one solution.

We evaluated a couple of open-source tools such as Snyk and SonarQube against Veracode with the help of a third-party vendor. We didn't use any of those and landed on Veracode because of the Veracode Verified seal. This, along with Veracode being the market leader, gave Veracode an edge over the others.

The main difference between Veracode and the solutions we evaluated is that Veracode is an all-in-one solution. Though an open-source solution would've been more cost-effective, we would've had to use a bunch of different tools. It would have required more knowledge to do the integration piece and would've taken a lot more time and effort. There would have been invisible costs associated with it just by the virtue of time. In comparison, Veracode's dynamic scan, static scan, and software composition analysis are all in one place.

My advice would be to look at the open source tools out there and see how far along you are in your security journey and what your needs are. If you're looking for the best in the market, Veracode is a great option, as far as paid solutions go, because it's a one-stop shop. If you have more time at your disposal and you don't mind integrating some solutions, then I'd recommend an open-source tool. However, if you have the resources, I would definitely recommend going for Veracode.

On a scale from one to ten, I would rate Veracode at nine.

I use Veracode in multiple places including static code analysis, penetration testing, and dynamic code analysis. It is part of our pipeline and integrates well with Bitbucket and Git pipelines.

The ease of integration with Bitbucket pipelines and Git pipelines is vital for us. Veracode allows us to easily summarize issues and provide quick, actionable insights. It offers confidence by preventing exposure to vulnerabilities and helps ensure that we are not deploying vulnerable code into production.

Veracode can improve the licensing model as it is a bit confusing. 

Additionally, threat modeling and asset management could be made more general rather than very specific.

I have had experience with Veracode for a few years now, at least a couple of years.

I have seen an upward rating of eight or more out of ten. They are very responsive and quick to help with queries within our scope.

Positive

We considered other solutions but have stuck with Veracode due to an enterprise level licensing deal and it serving our immediate important needs.

The licensing model is a little confusing, but we have a good relationship in terms of how it is set up. The pricing and model align with the needs of the developer community and the cybersecurity office.

I would recommend this solution as it is adaptable for threat modeling and penetration testing on contemporary tech stacks. 

Overall, I rate the solution an eight out of ten.

We use Veracode for dynamic, static, and software composition scanning. Veracode is a SaaS solution.

Veracode has exposed many flaws, and the Security Labs have helped train the team to understand security and fix flaws. You don't know what you don't know. They've shown us what we don't know so we can identify and fix our security issues.

Veracode effectively prevented vulnerable code from going into production. I have a hard time validating that assumption, but I think it's good at that. It seems like it does a lot in terms of compliance with industry standards and regulations. 

We've requested some features for fine-tuning the ability to craft the policy and what can break a build. It was disappointing that they didn't add that. However, we've used the policy features and were able to report on it, so we were pleased with that. It can create custom dashboards and see which applications are breaking a policy. We get a lot of metrics on those scans. 

We have Veracode built into our software delivery pipeline. Automation was our objective when we started evaluating Veracode. We have a high degree of automation in our regular scanning. Every day we do software composition scanning and static analysis, and we do weekly scans using aerodynamic analysis.

The automation features have saved us tons of time because we don't have to worry about whether it is getting done. Tackling security requires a massive time investment. The value we get from it is that our apps are more secure.
Veracode has raised our leadership's security awareness. This tool has generated more conversations around security and ways we can protect our software.

Veracode Security Labs are fantastic. My team loves getting the hands-on experience of putting in a flaw and fixing it. It's interactive. We've gotten decent support from the sales and software engineers, so the initial support was excellent. They scheduled a consultation call to dive deep and discuss why we see these findings and codes. That was incredibly helpful.

Veracode's static and software composition scanning has been most beneficial for us. We already use a competing product for dynamic scanning. 

Their platform is not consistent. It needs a lot of user experience updates. It's slow performing, and they log you out of the system every 15 minutes, so using the platform is challenging from a developer's perspective because you always have to log in.

I've been harping on it for the last two years. They try to compensate for that by building a relationship with staff. We keep asking questions we wouldn't have to ask if they had a better user interface. They would save their staff time and save us a lot of hassle. 

They claim to have the best false positive rate. It's hard to judge, but we've had several false positives, and the solution's inability to resolve them has been incredibly frustrating. The ability to schedule a consultation to talk through what's going on has been helpful. Still, I'd like to see the capability to act on false positives and resolve them in the application instead of us marking things as false positives. That's where they need to improve.

It has occupied my team's time because they're escalating the issue from support to engineering. They've been consulting my developers. They raise issues but don't spend time duplicating the issue. They close tickets saying it's not a problem or misunderstand what's being requested. They need to mature in that area a lot.

I've been using Veracode for about two years now.

I have some concerns about the leadership. This is only speculation, but I believe some leadership decisions have created a ton of turnover at Veracode. The solution was sold to another company, impacting us because we constantly get new contacts to work with, so we always have to ramp them up to speed. They're not necessarily as skilled as the prior contacts we've had. 

Is Veracode taking care of their staff? Are they keeping the people they need to support their customers? There have been months when I just had turnover fatigue from Veracode because we're constantly getting new contacts to work with. One thing that sets them apart is that we have a direct contact we can go to when we need an issue escalated or we need help understanding how something works.

I don't have any concerns about scalability.

I rate Veracode support two out of 10. When I raise issues, I expect support to bend over backward and be grateful that we're pointing out problems in their system. They should work to understand what we're talking about and reach out to us. 

I expect to meet with them, and I've never had a meeting with them to talk through issues. That's not how they work. Also, I feel like their staff isn't very skilled. They don't understand things and insult my developers. The support is terrible, but other Veracode staff has been exceptional. We always have to lean on our customer support contacts to determine why a ticket was closed. What's going on here? Can you escalate this? We're not getting any traction on that. 

Negative

I previously used Qualys. It had terrible support and wasn't supported well enough at the university. Also, Qualys is not a full-app security solution. It only did dynamic scanning and lacked the flexibility we needed.

Setting up Veracode takes some effort. Their web interface isn't too intuitive. It's also slow, which poses a challenge when setting it up. Veracode provided some help getting it running. 

We did it ourselves with help from Veracode. If I had to do it again, I would do it all ourselves, too, because we got the support we needed from Veracode and didn't require a consultant's extra expertise. Veracode was that expertise. 

After deployment, Veracode requires routine maintenance. Their platform is down sometimes. Our nightly builds occasionally get stuck, and we must reach out to them. There is scheduled maintenance and dealing with issues as they come. I don't know if you necessarily call that maintenance, but it's time-consuming.

It's hard to quantify ROI on security. It makes us feel better. We have all this scanning, and we're identifying where we are vulnerable. If it prevents exposure, it saves us millions of dollars. There's potentially a considerable ROI, but it's speculative at this point.

The cost has been a barrier to broader use here. I think my team is the only one at the university. Other folks might like to use it, but it's pretty pricey. You could see what else is in the market, but I hear that's the price for most solutions. You might not find a better deal in the market, or it might be an incomplete solution. For the level of interaction we get with Veracode staff, it's been pretty good.

Right now, we've had a little more interaction with Veracode staff because they want to sell to the rest of the university. So they've been willing to meet with us frequently, answer questions, and get on support for issues that get closed when they shouldn't be closed.

I rate Veracode seven out of 10 because I have a beef about their support. Their turnover is impacting us, and we have concerns about how they treat their staff. We love Security Labs. We like the dashboards and reporting. I feel like Veracode wants to see us succeed on their platform, which goes a long way. They want to help us meet the goals set when we started using this product. That's a value add they provide. They do a great job finding security flaws.

At the same time, we have issues with support, platform usability, and performance. If I met a prospective Veracode user, I would point out those issues but also mention our positive experience with the solution engineer and sales staff. They've been accommodating and always willing to work with us.