Veracode Reviews

We utilize Veracode to assist in establishing secure-by-design and development processes for our web applications, as well as transitioning from other systems to microservices.

Once Veracode is correctly tuned, its ability to prevent vulnerable code from entering production increases.

An SBOM is a list that can help us manage our risks by tailoring it with software competition analysis, scanning for vulnerabilities, and addressing third-party risks. As part of the supply chain, an SBOM provides a visual representation of the components present in our application, enabling us to take appropriate action.

Creating an SBOM is straightforward. 

From a central perspective and a risk standpoint, the SBOM holds significant importance and must be integrated into our environment for the Software Development Life Cycle users.

Veracode has provided us with the opportunity to secure our applications. It enables us to identify risks and develop a strategy based on the results obtained from Veracode. These results are utilized to target developer training policies that we have created for pipeline and policy scanning. Additionally, Veracode provides us with guidance on resource allocation for teams. Overall, Veracode has proven to be highly useful. We obtained data from Veracode starting from day one of usage and witness its complete value within the initial six months of utilization.

Veracode's policy reporting for ensuring compliance with industry standards and regulations is commendable. They dedicate ample time to conduct thorough research and executing internal campaigns. Instead of hastily releasing new features and language support, they meticulously perform six to nine-month testing to ensure proper formatting and functionality.

I give Veracode's false positive rate an eight out of ten.

A seasoned developer with the appropriate mindset understands the necessity of fine-tuning regarding false positives, as this can impact novice developers.

Veracode's low false positive rate in static analysis has had a positive impact on the time we spend fine-tuning policies.

Veracode greatly influences our organization's ability to address flaws. Resource allocation, strategy, and trading have had a significant impact, particularly when considering the redirection of traffic. Starting from the point of deviation becomes crucial in this context. Without comprehending the potential flaws that may arise within our environment, we cannot determine the appropriate direction to mitigate and reduce them over time.

Veracode assists our developers in saving time when used correctly. It took us approximately one year to align all the developers' mindsets, but once we achieved this, our team matured, and tasks became easier.

Veracode has been beneficial for our organization's security posture.

Veracode has reduced the cost of our DevSecOps by helping us decrease development time, remediation efforts, and the expenses associated with fixing flaws at a later stage.

Veracode Fix is a new feature that functions similarly to auto-remediation for low or medium flaw codes. Essentially, it serves as a means to demonstrate to developers how to create secure coding modules and solutions. I am excited about it because I believe it will accelerate development time.

The language version support could be improved. For instance, I recall a situation where there was a slight delay in supporting the application for a specific job because there were concerns regarding the vulnerabilities present in the new languages.

Veracode combines container scanning and software composition analysis into a single package. This has always been an issue because people want the freedom to choose one or the other. However, we are almost compelled to purchase both components together.

I would like to request the inclusion of incremental scanning in a future release. By scanning only the portions of code where changes were made instead of the entire code, we can significantly reduce the scanning time.

I would like to see what Veracode plans to do regarding endpoint protection, PAN testing, DAST, RAST, and similar areas. I haven't seen any developments in these aspects yet. Products like Contrast are more advanced in this regard. So, as teams become more mature, what steps can we take to adopt the mindset and processes required for such advancements?

I have been using Veracode for over four years.

Veracode has experienced occasional downtimes, but for the most part, it has remained stable.

Veracode is capable of scaling to accommodate the needs of large organizations.

The technical support is excellent. They have application security experts. If we have an issue within the platform, we can reach out to either a Success Manager or a technical representative, and they usually respond within twenty-four hours. Additionally, as a developer or end users, we can schedule consultations and speak to someone who understands a specific language, which is really helpful.

Positive

Aside from the standard licensing fees, we also have to pay for a competent Success Manager. We initially received a favorable deal in the first year, presumably to secure our business, but we have since observed a gradual annual increase in costs.

I would definitely recommend having a Success Manager in the first year. Once the teams become more mature, companies like Synopsys, Veracode, Checkmarx, and others are large enough to offer competitive deals if they are interested in our business. For small businesses, using open source tools would be worth considering. With Veracode, we pay for the research they have conducted and have gained a deep understanding of various flaws. Their risk rating aligns well with our requirements, which is beneficial. We rely on this tool and find it fantastic from a data perspective. The data provided has greatly assisted us in our strategic decision-making.

I have tested all of the solutions. I have tested Synopsys, Veracode, and Checkmarx. Checkmarx is a truly excellent product. The only drawback was that their dashboard was subpar, resulting in poor data quality.

I would rate Veracode a seven out of ten. Although it doesn't fulfill all our requirements, I am still impressed with it and find the solution appealing.

Veracode has excelled in SAST, DAST, and IAST, but conducting scans, secret scanning, and IAC are new areas for them.

Veracode alone cannot solve our issues or problems. We need to have an agile mindset and ensure that security is embedded and maintained. We need to educate developers to be able to use these tools effectively and incorporate them into their everyday processes.

Veracode can be hosted within Europe or at our local location if needed. However, I believe they offer various instances. Personally, I prefer the SaaS solution over on-prem, mainly because unless we have specific data privacy requirements, using the SaaS solution is more convenient. Opting for on-prem would require additional resources, such as setting it up and engaging with Veracode support, which can be a more complex process. 

Veracode handles the maintenance. All we need to do is set up the files for pipeline scans. Our engineering teams can handle that. In terms of policies, we should review them annually. Credentials will naturally expire on an annual basis, so they need to be reviewed as well. If we want to pursue additional tasks like GitHub integrations, then the setup process is required.  

I recommend evaluating the top four solutions listed in the Gartner report or any other reliable source of information. Test them thoroughly and ensure that the vendor truly understands the organization's environment before making a commitment.

It is crucial for individuals to comprehend and establish a workflow environment before they commence providing tools, and I believe there is indeed a wealth of information pertaining to data dashboards. Although it may require time, we can collaborate with Veracode to construct it. Overall, it is beneficial. It is truly excellent. 

We use Veracode to find any vulnerabilities and for risk management.

There are multiple ways to use Veracode. We can use Veracode directly in our ID environment, and we can use it in the UI environment in our platform. We can integrate it with GitHub or GitLab. We can also install SourceClear as an agent.

It helps to reduce the application risk rate. It checks for any vulnerabilities or CVE IDs against its database. If any vulnerabilities are present, it gives suggestions, remediations, and fixes. They have recently started with Veracode Fix, so the auto-fix capability is there for your code.

Previously, it was very difficult to find vulnerabilities and scan threats. It is a primary need to maintain the security of our code. Veracode is a good option. It provides all kinds of features for developers.

Veracode checks for vulnerabilities in the static code, third-party libraries, and infrastructure. If there are any vulnerabilities in your static code, it will provide them. It can also auto-fix them with Veracode Fix. For Web APIs, there is a solution called DAST Essentials. It came out recently, but it is a very good solution.

It has been a year since I have been using Veracode, and it has been very helpful. It gave me the vulnerabilities present in my code, such as SQL injection, and the fixes for them. It gives good suggestions to improve the score of our code base. It gives a lot of things.

I started using Veracode Fix about one month back. It can automatically fix whatever vulnerabilities are present in the code. In GitHub, it shows the line numbers that it has fixed. It also provides a reason to fix them. It also gives a report based on your policies. If any high-severity vulnerability was there, it tells you how it was fixed. Everything is given in detail in the reports. It is very good.

Veracode's policy reporting is good for ensuring compliance with industry standards and regulations. I would rate it an eight out of ten for that.

Veracode provides visibility into application status at every phase of development, but the option of infrastructure and deployment security is not there in Veracode. They have probably started working on that.

We use third-party libraries, and it suggests using only the safest versions. It gives suggestions on vulnerabilities that are present and how to fix them. It is very good. It makes our code secure.

Veracode saves 10% to 20% time of developers. 

I like its integration with GitHub. I like using it from GitHub. I can use the GitHub URL and find out the vulnerabilities. It maps everything for you. It gives suggestions and remediations.

They should provide infrastructure management. They have not included any infrastructure security. Kubernetes images are also not there.

Their scanning engine is sometimes a little bit slow. They can improve the scan time.

I have been using Veracode for more than one year.

It is stable. I would rate it an 8 out of 10 for stability.

It is scalable. We have 5 projects. In every team, 2-3 people are using Veracode. We have a dashboard, and through that dashboard, we log in to our account. We are also using a GitHub wrapper.

We have a sprint of 2 weeks, so every 2 weeks, we deploy code. We have a team of 10 people, and at a time, at least 5 people are involved in the deployment.

They have an Application Security Consultation team. Veracode support is also there. We can email them for any issues, and we can also connect with the ACS team through a Zoom meeting.

Their documentation is also very good. In the case of any issues, we follow the documentation.

Neutral

I have previously worked with SonarQube. The decision to switch to Veracode was taken by our management.

Veracode is better than SonarQube. In SonarQube, you need to give individual code, and then it fetches the details. With Veracode, you can get details about your entire application. Veracode Fix is also there to auto-fix the code. For web applications also, so many things are there with Veracode.

It is a very good product. Veracode Fix is also there. It gives very good solutions about the code and its reusability and fixes. It has been there for the last 17 years. Without such a solution, it is very difficult to find vulnerabilities and manage fixes. 

I would recommend using Veracode. It has good features. It scans your source code and your third-party libraries. There are a lot of new products in the market, but Veracode is good.

Overall, I would rate Veracode an 8 out of 10.

We are quite new to security systems. We have not adopted Veracode at the enterprise level. We are using the GitHub Advanced Security system. We were looking for static code analysis or software configuration analysis tools in the market. That is when we explored Veracode.

We want to centralize our security systems so that any repository that developers are using or creating in our organization follows the same set of standards. We want to have all the security checks and all the static code analysis done at the same level and with one client.

We have had challenges with security because developers come from different organizations and different backgrounds. They have different ways of coding. Based on their experience, they write the code, but there is a very high chance of having vulnerabilities in their code. The PR reviews used to take a lot of time for the reviewer. By implementing such a solution at the enterprise level, we assume that we will save a lot of time for developers and code reviewers because everything will be done by the tool. It will impact us a lot.

Veracode is quite good. It checks the security vulnerabilities in our packages. It discovers them very nicely, but it is not a tool for improving code quality. It does not provide very good static code analysis.

Veracode's policy reporting is fine for ensuring compliance with industry standards and regulations.

Veracode provides visibility into application status at every phase of development.

Veracode saves our developers' time. They are not doing manual PR reviews. It has saved about 20% of the time because we are still in the adoption phase.

We have a lot of confidential data of clients. We do not want our application to be exposed outside. We have configured a code quality gate, so before production itself, it blocks the PR deployment and allows it once all the security checks are passed.

Veracode is one of the tools that helps to verify external dependencies. Veracode helps a lot there.

One thing that I like about Veracode is that it is quite a good tool for dynamic application testing. It is a little bit better than DeepSource and SonarQube in terms of software composition analysis and dynamic application testing. 

When I was looking into it, my initial impression was that it has a good UI as compared to other competitors.

A negative issue I found is that it has a subscription-based model. 

If Veracode can provide static analysis in terms of how we can improve the code quality, it will be quite a good feature.

I have been using Veracode for 2 years.

It is quite stable.

We have not deployed it on our on-premise system, so it is quite scalable. There are no issues with that. I would rate it a 6 out of 10 for scalability.

We have not used their support extensively, but when we were choosing Veracode, I felt that they have a very good support system. The support they provided was good.

Neutral

I also work with SonarQube. I did not switch from SonarQube to Veracode. We are using a combination of both because SonarQube provides good code quality, but Veracode does not. Veracode provides very good dynamic application testing and software configuration analysis, but SonarQube does not. A combination of both is meeting our needs.

Configuring SonarQube at the cloud level based on our requirements is quite challenging. The support is based on the community. It is not something we consider as an enterprise-level tool, whereas this is not the case with Veracode. These things are better in Veracode.

I was not involved in its deployment. I am in the quality team. The DevSecOps team takes care of its deployment. That team has 8 to 10 people.

It does not require any maintenance. Everything is done automatically by the vendor.

Everything was done in-house.

It is too early for that, but Veracode will save us development effort and time. That will be the return on investment for us in the future. We will be able to measure its overall cost-effectiveness by comparing what we are paying for the service and how much developer time it is saving. 

We are still considering it at the enterprise level. It has a subscription-based model. We find its price a little high based on the features it provides. In addition to the standard licensing costs, there are no additional costs.

To someone who is looking at Veracode but is concerned about the price, I would recommend exploring it themselves. They might not need the same features that we need. They might be looking at some other aspects of security. I would recommend exploring it and doing a price evaluation based on their needs. 

We also explored DeepSource for some time, but we did not go for it. The functionality that DeepSource provides is somewhere between Veracode and SonarQube. Veracode was a little bit better, and that is why we went for Veracode.

We do not use the free access to Veracode's Application Security Consulting team, but we are planning to use it. We have not yet used the Veracode Fix feature that produces AI-generated fixes. It is a new feature.

The fact that Veracode does not scan source code, only binary code, does not concern us. We are using multiple tools. Veracode is one of them.

Overall, I would rate Veracode a 7 out of 10. We are still adopting Veracode. We have not gone through all the features that Veracode provides. Its rating would probably increase after a few months of use. I would recommend Veracode to others.

We use Veracode to identify vulnerabilities in code to ensure the security and integration of the apps.

Veracode effectively identifies vulnerabilities within the code. My role is to analyze these vulnerabilities and assign a severity level before forwarding them to the development team. This allows them to address the issues before deployment to production.

Whenever Veracode releases a new feature, we seek the expertise of Veracode's application security consulting team to understand its functionality and how it contributes to code security. The team demonstrates exceptional responsiveness and promptly addresses our questions, eliminating the need for unnecessary back-and-forth communication.

In today's digital world, cybersecurity is more important than ever. Veracode offers a comprehensive suite of features that help developers secure their code through automated scanning. This scanning identifies vulnerabilities and detects malicious code, preventing it from entering production.

Veracode has helped reduce our time to remediate security flaws.

The policy reporting for ensuring compliance with industry standards and regulations has been positive for our organization.

Veracode provides visibility into application status at every phase of development.

It has been instrumental in enhancing our organization's ability to fix flaws while simultaneously reducing our manpower requirements allowing us to focus on other issues.

Veracode has helped our developers save 20 percent of their time.

Implementing Veracode has significantly bolstered our security posture. We can uncover more vulnerabilities and streamline our detection process. We've become more proactive in identifying and addressing security threats. This allows us to focus on building secure applications with confidence.

Veracode has proven to be a solid choice for our organization's shift-left security strategy, compared to other solutions like Darktrace.

To ensure secure software from development to deployment, we leverage Veracode throughout our CI/CD pipeline, enhancing our app security at every stage.

Veracode helps us prevent vulnerable code from entering production, strengthening our third-party application security.

Among Veracode's features, vulnerability scanning stands out for its effectiveness in identifying and remediating security weaknesses, ultimately mitigating threats to our applications. 

The integration capabilities have positively affected our existing development tools when integrating with other cloud solutions. It is easy to integrate and the support team is helpful during the integration process.

Veracode helped improve our compliance posture with our existing solutions.     

The automation of Veracode is great because we no longer have to run manual testing. 

The weekly report logs are great because we can address any vulnerability issues that are detected quickly.

Veracode runs comprehensive scans and links the vulnerable code to the weekly reports identifying what services are affected and forecasting the next steps.

The GUI requires significant simplification, as its current complexity creates a steep learning curve for new users.

I would like Veracode to introduce more sophisticated AI features.  

I have been using Veracode for one year.

I would rate the stability of Veracode nine out of ten.

Veracode supports scaling up whenever we want to keep up with our growing app portfolio.

I would rate the scalability of Veracode eight out of ten.

The experience I had with their technical support has been great.

Positive

I recently changed companies, and my current employer does not use Veracode. However, I have discussed implementing it with them because it offers more mature features compared to other solutions.

The initial deployment took around four months and required five people.

Veracode is affordable for large organizations, but its pricing may be out of reach for small and medium companies.

I would rate Veracode an eight out of ten. Veracode's pricing hinders my overall rating of the solution. 

Veracode was deployed in two regions with 25-plus users.

Veracode requires some maintenance to keep the scanning accurate.

While I highly recommend Veracode, affordability for smaller organizations may be a significant hurdle due to its pricing structure. It's crucial to carefully evaluate their budget constraints and explore alternative solutions if necessary.

Our primary objective when using Veracode was to ensure the security of website development and other application developments we were working on. We aimed to prevent any security breaches and also closely monitor any potential vulnerabilities that could arise from code deployment. Fortunately, we were successful in identifying and addressing these vulnerabilities. 

Although the responses were somewhat mixed, we managed to go two years without a single security breach, which was a significant achievement. In addition to monitoring security breaches, we utilized Veracode for continuous monitoring. The difference lies in the fact that once the code is deployed and access to the server is initiated, there is a high possibility of connecting to a different server or encountering interference from unauthorized individuals. This continuous monitoring allows us to observe each step of the server, including the IP addresses and protocols, and ensure their proper functioning. Veracode facilitated us in carrying out this monitoring effectively.

Veracode's ability to prevent vulnerable code from entering production is remarkable. We were once alerted that there was a possibility of a breach occurring. Despite spending hours pondering the issue, we were unable to determine how that possibility existed. After discussing with the support team, we eventually learned the cause. Therefore, in terms of detecting vulnerabilities, it was excellent. However, the problem arose from the fact that it was not well-customized for our organization. Consequently, there were multiple instances where flags were raised for our IP address or email, which we knew were not vulnerabilities. In such cases, we had to address them accordingly.

Veracode's reporting feature provides comprehensive insights into the security status of our code or application. These reports generated by Veracode offer visibility into vulnerabilities and different severity levels of threats that may be present. They also recommend remediation steps to address these issues without extensive code modifications. I find this reporting feature valuable. Additionally, Veracode regularly releases updates, sometimes multiple times a day, ensuring that we are consistently up to date. Although this requires my engineers to work extensively on integrating AWS services with our platform, it is one of the standout features of Veracode due to the recommendations and frequent updates it provides.

Veracode's policy reporting for ensuring compliance with industry standards and regulations is on the mark. Everything was proceeding as it should, with adherence to the established procedures, protocols, and reporting mechanisms by both the organization and the support team. At no point did we feel that the industry standards were compromised.

Veracode provides visibility into the application's status at every phase of development. Primarily, we were only conducting two types of tests. One was continuous integration, which keeps track of the entire application's deployment process. It detects any defects and ensures a smooth deployment. The other test we used to perform at certain times was manual integration. We would delve deeper and test additional aspects because we wanted to ensure with utmost precision that there were no vulnerabilities when deploying the application. Hence, we also had to manually utilize this program before deploying or pushing it to the code.

When conducting the cost-benefit analysis for Veracode after six months, we discovered that there were actually only two significant security breach possibilities. With the assistance of the solution, we were able to detect and resolve these breaches. The most significant advantage provided by the solution was the assurance that no breaches were occurring outside of the office. Any potential risks were either determined to be false alarms or promptly addressed. Therefore, the only actual breaches we encountered during the six-month period were two. However, we also gained a sense of security, which I consider to be a worthwhile trade-off for the cost.

Speaking specifically about the security department of our company, there was a notable reduction in costs after the introduction of Veracode. However, when considering the broader scope of all the development departments, we not only had to invest more time in each project but also had to hire additional resources. Consequently, when taking into account all the departments collectively, the overall expenses increased. However, focusing solely on the security development department, there was a substantial decrease in costs, approximately $7,000 per month.

The recommendations and frequent updates are the most valuable features of Veracode.

The false positive rates were quite high in our case. Prior to seeking a solution, we had already engaged in discussions with their support team, who also confirmed this issue. We had read a few reviews, which indicated the presence of false positives. However, in our specific situation, the number of false positives was substantial. There were instances when we logged in during the morning and encountered 30 or 40 raised flags. Resolving them sometimes occupied a significant portion of our day, often extending into the first half. Thus, in certain projects we undertook, the occurrence of false positives was considerably elevated. Despite being aware of this, we acknowledged that a majority of these flags were likely false. Nonetheless, due to the matter of security, we had to address them, resulting in a significant allocation of our time.

The false positive rate of the static analysis has impacted the time we spend on fine-tuning policies. We have had to allocate a considerable portion of the software team's time to address the significant number of false positives, resulting in substantial time investment. Additionally, some of our projects with clients have been delayed due to this issue. One particular project experienced a delay of approximately 25 days, with false positive cases accounting for an estimated 60 to 75 percent of the delay. The cost of the false positive rate is causing a slight disruption in the development process. Therefore, I believe this is the major area that needs improvement.

We initially deployed on the AWS cloud because AWS also offers us additional security benefits and most of our other solutions were already on AWS. However, I think Veracode could develop a self-contained cloud system, allowing them to deploy the solution on their own system. This would be beneficial for us as they could provide the data privacy we require. It would be great because each new update on the security process necessitates a slight change in the program.

The reporting features could be subcategorized if the bugs are categorized and subcategorized according to our requirements rather than the understanding of the security system. This would be beneficial because whenever we need to integrate or resolve a bug, it is crucial for us to identify the vulnerable parts of our code. This process requires additional time and effort. Moreover, it is often challenging for us to comprehend the specific changes the system expects from us.

I have been using Veracode for two years.

The stability of Veracode, in my opinion, was not very reliable considering the need to consider false positive readings. We had to invest a significant amount of time rectifying or addressing those inaccurate queries, which made it a less-than-ideal solution.

I believe the solution is scalable. I remember a time when we were working with four clients in total. Even though our agreement with Veracode was not to exceed three projects, we were able to manage that, and everything went smoothly. They were even able to implement registration. This probably occurred due to significant delays in one of our projects. I was able to onboard the next client, which means we were working with four clients at that time.

The technical support team is knowledgeable. In the initial stages, when our team lacked the technical capability to perform manual configurations on our own, they assisted us with that. Overall, the experience was satisfactory. Nothing extraordinary, but it was good.

Positive

The initial setup was fairly straightforward, although it did take us some time. Our team lacked the necessary technical capabilities since it was a new endeavor. Before Veracode, our company didn't have any other security measures in place. Since it was a new concept, our employees also had a technical knowledge gap, which required some time for learning. However, the deployment process, on the whole, wasn't overly technical. It was done in two or three stages. The first stage involved initial queue meetings to understand the configurations we were using for deploying the code. The subsequent meetings focused on understanding the features we desired, how they would be implemented, and accessed, and their frequencies. Following that, the tech team took over and handled the deployment for us.

Six engineers were involved in the deployment, although the entire working team comprised twenty-two people.

The implementation was completed in-house.

It is quite challenging to calculate ROI. However, I can confidently state that over the course of two years, we did not experience a single security breach. Furthermore, we ensured that our solutions were free from any vulnerabilities when delivering them to our clients. As a result, we established a positive reputation with our clients, as evidenced by the certification from Veracode, confirming the absence of vulnerabilities in our overall feature or code deployment. In summary, we maintained a flawless record of zero security breaches. Despite the difficulty in conducting a cost-benefit analysis, it remains an essential task.

I believe the price is fair according to market standards. However, if we are anticipating a growth phase in the enterprise, it might be a bit costly for us. On the other hand, if we are currently making profits and aiming to stabilize ourselves while improving our solutions and working with our existing team, it suited us well during that period. We were focused on developing the final product, refining protocols, and enhancing overall product development processes for our brands. Therefore, I believe it was a good fit for us. However, organizations that are in a growth phase may want to consider other options, even if it means compromising slightly on the security aspect.

We previously evaluated other solutions. One of the primary reasons for choosing Veracode was the ability to configure it at a deeper level, which was not possible with the other solutions. Another advantage was that the other solutions did not offer a six-month trial period, unlike Veracode. We initially had a trial for six months, which was later extended to one and a half years. Therefore, pricing became the third factor. However, even at the end of the two-year subscription, we were unable to conduct a thorough cost-benefit analysis. This seems to be a common situation in the industry. Without experiencing a breach, it is difficult to assess the cost-effectiveness of a solution.

I give Veracode a nine out of ten. I believe that, in general, Veracode is a good product. False positives and these types of issues can be found in almost every security product out there. The best part was Veracode's technical team. They were proficient in their knowledge and there was never a moment of misunderstanding between our team and theirs. Overall, Veracode ensured that we did not encounter any ransomware or security breaches at any point in time.

Our DevSecOps team was involved in two stages of the entire process. The first stage was during the initial design phase of the specific application build. We had to determine when and where we wanted to manually interpret using the tool, as well as identify potential security breaches that required close monitoring. This was the initial step. Following that, our team proceeded with development, which typically progressed smoothly in collaboration with the client for a period of two to three weeks. As we approached the deployment phase, we would once again discuss with their team to determine specific points where DevSecOps would manually deploy the solution for testing purposes. Afterward, we would assess the solution from our end.

The false positive rate did not have a negative effect on the confidence of our development team. It was made very clear to us by Veracode's support team, as well as through other reviews and conversations with clients, that there would be a possibility of false positives being raised. We had to go through them because we cannot afford to miss out on any potential security breach.

I don't believe Veracode has helped us save time. Overall, if we consider the larger context, saving time was not a direct expectation communicated by Veracode. Their expectation was solely to prevent any security breaches. Regarding time-saving, I don't think Veracode has provided any assistance in that aspect.

At the end of the day, we were essentially thinking of transitioning to a new solution, primarily due to the high number of false positives we were receiving from Veracode, we conducted a cost-and-benefit analysis specifically for Veracode. We discovered that, overall, it prevented our solution from being breached for more than six clients. Considering our annual client turnover rate is approximately twelve to thirteen, Veracode played a significant role in addressing a substantial portion of our challenges.

I recommend negotiating with Veracode for a free trial period. We frequently engage in negotiations to secure a six-month trial. A trial will assist in comprehending the intricacies. While there are benefits, it is important to note that the time required for each project will naturally increase. It is crucial to understand how Veracode operates and determine if it aligns with the company's needs. However, regarding pricing, I am confident that Veracode delivers as requested.

Veracode functions solely within the development department, but within the department itself, we have a division based on the two types of clients we deal with. One type is primarily focused on development, while the other is focused on procuring or conducting quantitative analysis for the markets.

For general everyday maintenance, only two people are involved. However, for monthly maintenance, approximately six people from our end are involved, and I am unsure of the number of people from Veracode's end.

I would advise speaking with other clients like us who have already used Veracode. Prior to that, however, we need to understand what kind of security breaches are possible in our solution and determine how much of our money and time we want to allocate to addressing them. We should assess the importance of these breaches to us. Once we have this understanding, we can discuss with other clients how the overall process went and how much time it actually takes. The final step would be to directly contact their team and negotiate for a longer trial period. The best decision we made was to initiate a six-month trial with Veracode and then transition to full-time usage.

We use Veracode for static code analysis, dynamic code analysis, and software composition analysis. In our organization, we have a bunch of applications that are running on a monorepo or microservice level. We have to do SAST on those applications so that we have a code review done on a bit level. 

Going forward through the application pipeline, we do it on the dynamic level, as well, where we are scanning the public URLs of those applications to see what people can see externally. It's a type of out-to-in scanning in which we are analyzing the traffic that is sent out and even the traffic that is coming in, the response and request headers of the URLs, whenever someone is at a single URL. 

Finally, for the software composition, Veracode uses a third-party analysis tool in which it has the libraries and the functions that are being used at a source code level. They are open source or dependent files that are used for building that in-house application.

As a company, we have moved from using contractors and third-party consulting companies to creating our software through more of an in-house model. We are moving more into the DevOps realm with more of our own teams developing our software. Veracode fits that DevSecOps ideology. It is definitely helping us build more secure software than we previously had.

We have a bunch of applications into which we have integrated Veracode and we have seen that, in the final phase of production delivery, there are fewer vulnerabilities than we used to have.

And because Veracode has remediation and tracking within the platform, it becomes a good single pane of glass where the developers and the security professionals can operate and govern the flaws in the software. And they can take the necessary steps to remediate them.

In the metrics that we generate every month, we have seen the numbers go up with respect to remediation as well as the number of flaws that we catch. The word is spreading, and more and more application teams are using the static code analysis tool inside their pipelines. Overall, we are moving from reactive mode to proactive mode in remediating vulnerabilities through Veracode.

Veracode also helps our developers save time, in the big picture, compared to a situation without Veracode. Let's say there is an application on which no static analysis was done and the audit team says, "Hey, you don't have any static code analysis in your pipelines. You need to do something about that." They could scan the code that is already running in production and find flaws, but those flaws would take a lot more effort, time, and resources to mitigate compared to if they had been detected in a static analysis prior to the code going into production. In that way, it has definitely saved time. But if we are talking about short-term planning for sprints, it takes a little more time than usual because security is coming into the picture, as well. But overall, it helps save time.

Our security posture has gotten better since 2020. It takes time to do the integration of the platform and educate people about how to use Veracode, and then move on to remediating and validating things. But the journey that we had with Veracode has definitely helped us a lot, overall, with respect to bettering our security posture.

The static analysis is the most valuable aspect for us.

It also has the ability to block a build. In pipeline scanning, there is a configuration that can be set with respect to the security level of the flaw. If there is a high or a critical issue, there's a way the build can be failed and blocked before going into production. But the best case that I have found for blocking builds is in the staging area. You don't really want any blocking done on the production environment because there are business SLAs that the enterprise has to fulfill. The best case would be blocking the builds in the staging phase, the pre-production environment, so that everything is taken care of before it is pushed to production.

There are three integration points for Veracode. One is the IDE plugin. Whenever a developer is writing code on their IDE platform plugin for Veracode—whether IntelliJ or Visual Studio, et cetera—it tells them if that piece of code has any vulnerabilities and if there is a better way to write the code.

The next point is the pipeline integration in which, whenever a build is getting pushed from a standalone branch to the main branch, a scan is done on that commit to see if there are any vulnerabilities.

Finally, when the build is published with the whole module, it can do another scan, as well. These three scans have their own pros and cons. The policy scan, which is a build scan, does the scanning on an overall basis with regard to the different standards out there, like OS and Spin5. It scans the first-party and third-party code, which is the most holistic scan that there can be. But the point is that it scans at three different integration points or stages, so it helps developers to remediate their vulnerabilities before they have moved far in the pipeline. Shift-left is definitely possible through Veracode.

Veracode's false positive rate is a little toward the higher side. We understand that Veracode doesn't have the business context. I advocate that people look at their code, even though there is a vulnerability, to see exactly what it is. For example, a randomize function is being used to create an ID that is not being hashed. Veracode marks it as a false positive because it doesn't know if the ID is being used for cookie generation or some random ID in the log generator. We, as dev or sec people, have to go in there and analyze what the ID is being used for. But the false positive rate is definitely a little bit on the higher side.

The effect of the false positive rate on developers' confidence in the solution depends on the maturity level of that particular application team with respect to learning Veracode. In the initial stages, obviously, when developers see that, whenever they're writing code or pushing a build, there are a bunch of vulnerabilities, it may affect their confidence. But a couple of months or a couple of quarters down the line, when those same developers have already used Veracode and have raised their maturity level from one to at least three, it doesn't really affect them because they know that they have to go in there and check the vulnerabilities for themselves to determine if it's a false positive or a real vulnerability.

It has definitely taken a little more time to validate the false positives, but I would say there are a lot of true positives, as well, which have been remediated and which have been mitigated for the betterment of the security posture. But it has definitely taken a little more time to mark or validate those positives. Hence, I definitely advocate that people shift a little more to the left. They should do ID and pipeline scanning before they hit policy scanning because, with ID and pipeline scanning, you scan small chunks of code. You remediate that code faster, before it goes to the whole package and there's a bunch that you have to deal with.

Also, container security is slowly becoming a prevalent part of the development realm. Veracode's SAST, DAST, and SCA are pretty good with respect to industry standards, but with regard to container security, they are in either beta or alpha testing. They need to get that particular feature up and running so that they take care of the container security part.

In addition, there is a new concept out there, the IAST, which is interactive assessment security testing. It is a little more proactive than SAST. So if Veracode can combine that feature with their current technology, they would definitely be a front-runner again for the next five to six years.

I've been using Veracode for the last three and a half years.

Once or twice a month there is maintenance on the Veracode side because they're updating some signature in their database or something else. I have seen maintenance coming up, but it's not an issue because the pipelines and integrations that we are running keep on running in the background. It's just the GUI that we are not able to access at that particular time.

It's pretty scalable if our enterprise has the licenses for scaling the applications. I haven't faced any issues with regard to scalability, apart from licensing, of course.

We have contacted Veracode's tech support a bunch of times. The only downside is the time needed to schedule a consultation call with the pro services team, keeping in mind that enterprises need to buy pro services licenses before they can use it.

When someone is scheduling a meeting with them, the issue type should be as precise as possible. In that way, they can rope in the exact SME for that particular topic, because in the development realm there are so many languages and so many types of issues out there. There are different personnel for each of those categories. So the more precise the details are for the meeting, the better the SME will be for that particular consultation.

Positive

We have only used Veracode, right from the start.

The initial setup was pretty straightforward. They have a SaaS solution and there are a bunch of API integrations that made it pretty straightforward.

As for maintenance, all the upgrades and updates are done on Veracode's side. But there is a wrapper. When we are doing the integration, there is a package that we use to upload the files in Veracode. Sometimes there is a new release for that package and we have to update it in the GitLab repo. That's the only maintenance we need to do.

They have made it worth the price with the kind of discount and the kinds of modifications they made for us with regard to licensing. Previously, it was per profile. But they have adjusted according to our requirements because we are a big company and we handle a lot of applications. There's a tiered discount that they have provided us, so the cost is justified.

If someone looking at Veracode is concerned about the price, it depends on their requirements. I wouldn't really recommend Veracode for a small firm, because it might be a little pricey for them. But for a large organization, with more than 1,000 applications in the enterprise, there are tiered levels of pricing. Obviously, there are other cutting-edge solutions that have become available recently, but Veracode is something that a big organization should look at.

When it comes to managing risks, we use the remediation feature that Veracode has. Whenever there is a flaw, we do have tickets open up for it and the application owner or the developer goes through the vulnerabilities. There are times when the vulnerability is a false positive and you can mark it as such within the Veracode platform itself. And we, as security professionals, do the validation for whether the business justification is good or not. And we either have a source code review for the vulnerability or have an exception open up for the remediation step that the application or the owner is asking for. We do risks via the platform, as well as through the ticketing tool that we use.

We are also using SBOM (Software Bill of Materials) for inventing all the different kinds of modules and libraries that we are using for an application. Using the SBOM feature, you would have to leverage the API to get the inventory from the API calls that Veracode has. But in our organization, we use the GUI report generation more than the SBOM report because there is an executive summary in the GUI report with regard to first-party and third-party flaws. It also has the mitigation steps. SBOM would only give you the list of softwares, libraries, and versions that are being used. It is not as detailed as the GUI report that Veracode provides.

Things to consider when looking at Veracode include the different integration points where you want to integrate Veracode, how big your organization is, and how many applications you want to do security analysis on. If it's a big organization, Veracode is obviously a solution to evaluate, but for a small organization, below 500 apps, it might be a little pricey. Also, you will need a couple of Veracode champions on your team who know it inside out. You will need training provided by Veracode, so make sure that is included during the procurement stage. That will help you implement the tool within your organization faster and much more efficiently.

I would have given Veracode a nine out of 10 a couple of years back, but given the tools that are coming out on the market, and the scope of development, which is increasing, I would place it at eight.

Veracode is a DAST solution that we use for automated security scans of our APIs and front end. We perform daily scans of our applications so we can act on the results quickly instead of routine security audits that we might do yearly or quarterly. It's a complement to the standard penetration test suite.

Veracode helps us improve our overall security and build trust with our customers. For example, some of our customers have strict security requirements, and they need us to use more products. It helps our business by building confidence in our products' security. Veracode improves our sales and helps us secure contracts because we can demonstrate what we are doing to the clients. 

We can use it in our dev environment to detect issues early before they get into production. It saves time equivalent to one full-time security engineer. We have around 60 people on the team, but we don't need a security engineer. Our regular engineers can fix the issues themselves based on Veracode's report. 

I like Veracode's ease of integration and onboarding. You can quickly and easily get started with a new project or application. That's one area where Veracode shines relative to other tools we've evaluated. Other tools need more work or an engineer to do the setup. With Veracode, you can do the onboarding in a few steps quickly. 

Another beneficial feature is Veracode's reporting. The report not only outlines the security issues in detail but also offers some solutions. Even if one of our backend engineers isn't specialized in security, they can still fix the issue solely based on the suggestions in the report. 

When Veracode updates the pool of tests and security checks, it could be a little more transparent about what it is releasing. It's not clear what it's adding. They do thousands of checks, and when they add more, there aren't many details about what the new tests are doing. 

I have used Veracode for 2 years.

I rate Veracode 10 out of 10 for stability.

I rate Veracode support 8 out of 10.

Positive

Veracode is the first tool we purchased specifically for DAST testing. We we use altered secure tools, and we used to do penetration test, but using people. Right? Not not automated.

Deploying Veracode was straightforward. There weren't many steps. We needed to prepare our API specifications and set up our system. 

The price is worth it. You have to consider the cost versus the security Veracode provides. It's also cheaper than the other solutions we considered. 

I rate Veracode 9 out of 10. 

We use Veracode mainly for legacy software audits.

The most valuable feature of Veracode is the binary scan feature for auditing, which allows us to audit the software without the source code. Veracode's most valuable feature is the verified vulnerability database, and we can do a full software audit at our company, including all of the systems.

Veracode should provide more flexibility in its pricing and licensing modules so that it could be more affordable for all types of projects and not only for very active mission-critical projects.

With the solution's security audit feature, an enterprise should be able to cover all of its applications with the desktops. Veracode is simply too expensive for that. If you know about the price of a web application, and if you multiply it by 1,000, the return on investment doesn't work. It's okay for one or two projects running very fast, but it doesn't work for all the legacies. So, it's a huge amount of money.

There should be some lighter tool that allows you to do some audit scanned one time. Only ten percent of the applications are actively developed. About 90% of the other applications have no projects or budgets, but we are still vulnerable. It is too much if you buy it for all of that.

I have been using Veracode for three years.

Veracode is a completely stable solution, and we had no problems with its stability. The solution was a bit slow, but it was stable.

We didn’t face any issues with the solution’s scalability.

We know only one person from Veracode, and he supported us when we had issues, and he was able to solve everything.

Positive

We have previously used Checkmarx. Veracode's pricing is cheaper than Checkmarx, and it has some unique features like binary scan. In Hungary, Checkmarx is installed more than Veracode.

The solution’s initial setup was very easy. Only one or two people are needed for the initial setup of the solution.

Veracode is a very expensive product.

Veracode can list a lot of vulnerabilities, but processing all of them is a time- and resource-intensive process. I think Veracode has no innovative features because a lot of other software can do that. In our opinion, innovative features are a commodity with Veracode, but they are doing a good job.

The solution's ability to provide visibility into application status at every phase of development is valuable. It can be faster, but it can also slow down because our backlog may be much longer. There will be a lot of vulnerabilities or false positives that have to be processed. So, it is not black and white, but it is safer. Veracode has helped our developers save time.

Veracode has had a very low impact on our organization’s overall security posture because it is a very expensive product. An enterprise with 1,000 applications uses the solution for one or two applications. Veracode does not need any maintenance because it's cloud-based.

Veracode is very important to our organization’s shift-left security strategy when we have a project with enough sources to provide the license. I use Veracode’s cloud version. The return on investment with Veracode is good for one or two mission-critical projects running in the company. For other things, users should use open-source solutions or much cheaper products like SonarQube that are not as good as Veracode.

The fact that Veracode scans only binary code and doesn't scan source code concerns me sometimes. Sometimes, we have to do some source repository audits. We cannot use Veracode for source repository audits because it scans only binary code. I would recommend Veracode to other users.

Overall, I rate the solution ten out of ten.