Veracode Reviews

We use Veracode for static application security testing, dynamic testing, and software composition analysis. My company's engineering team has about 50 people who use Veracode across multiple product lines. 

The main benefit of Veracode is that we can deliver better, more secure software. Our customers also trust Veracode. When we share the Veracode report, they see that we have gone through all the due diligence.

Veracode aligns with SOC, ISO, and other types of certifications. It helps with compliance that Veracode has all these reporting formats. The solution provides visibility at every stage of development. We have automated almost everything through integration with Jenkins. As soon as the developer commits, it triggers the static scan for the main branches. We don't need to trigger the scan manually or do a follow-up to see if it's done scanning. 

The solution saves time by reporting issues and recommendations that help developers fix the reported vulnerabilities faster. I estimate that it improved developer productivity by about 10 percent.

Veracode has good support for microservices, and I also like the sandbox environment. For example, when introducing a new component, we can scan it in a sandbox environment. It will not impact the main environment. When our team fixes it, they. can push it to the production environment when the results are acceptable. 

The solution effectively prevents vulnerabilities from entering production. We've drastically reduced our third-party VAPT-reported issues. Before Veracode, the third-party VAPT analysis reported hundreds of issues per application. Now it's down to about 20, and Veracode can address most of them.

The interface is one thing I find a little challenging. Veracode's interface feels a little outdated compared to other solutions, and it could be modernized. I'm mostly happy with the features, but Veracode could add Docker image scanning. 

I have used Veracode for about six years.

Veracode seems stable. I don't recall facing any issues. 

Veracode is scalable.

I rate Veracode support eight out of 10. They are quite good at responding to issues. 

Positive

We tried AppScan and Snyk.  From an integration perspective, Snyk is a little better integrated with our pipelines and ticketing system. 

I can't recall the deployment well, but I think it was straightforward. Veracode requires no maintenance after deployment. 

I have not calculated the return on investment, but I think it's at least 200 percent. 

We aren't paying the listed price. We get some discounts, but we get a lot of value from it regardless of what we're paying. We look at the overall cost of what we would spend without a tool like Veracode. The longer you delay fixing security vulnerabilities, the more it will cost you during the later stages. By integrating it into the development cycle earlier, it helps to keep total costs lower.

We evaluated multiple scanning solutions before choosing Veracode, and we perform a mandatory comparative analysis annually. Veracode's scanning engine is more innovative and provides a more detailed analysis relative to Snyk and AppScan. It performs much better in terms of the number of issues discovered. 

I rate Veracode 10 out of 10. When implementing Veracode, you need to develop a workflow or a process. It becomes easier if you have that in place. For example, you can create a workflow where you scan inside the sandbox and approve those fixes before moving to production. 

Also, you should have separate people for raising issues, remediation, and approval. That way, you will have some control over which issues are mitigated and for what reason. That process flow has to be set up properly. Another aspect of successful implementation is automation. Your team needs to invest time in automating and embedding scanning in your pipelines. 

My company produces one of the most secure fabrics that you can find. Veracode is integrated into our development cycle through Jira. We do a full static analysis with Veracode and use Burp Suite to review the findings. The most common attack vector we find in Java code is SQL injection. When SQL injection shows up, you send a screenshot and a report to your executive team. They see the screenshot and say, "Oh, they're seeking injection here." 

This has now become a top priority. We're going to pause all these redundant features that we're making here and ensure our code is secure with no SQL injection vulnerabilities. Veracode finds everything, and the security engineers do the penetration test using the results. You provide a report showing where the issue is, and developers can fix it. We also use Veracode to train security engineers and teach them how to file reports.

My case is different from other individuals. I worked for a startup, so we had to find a way to capitalize on all the resources in Veracode. Larger organizations are not leveraging the built-in dashboard. That aspect is what people want to know about. They want to see how their money is being spent on security. The biggest problem with security is getting funding. None of these executives believe anything these users are saying until they can see the results.

They want that dashboard report. In less than three weeks, a junior security engineer can learn to create a dashboard easily that will allow the organization to stay on top of the most important things. They need to show the stakeholders that we're doing something here. They'll get the certification and see the dashboards. You now have something that's actually worth $2,000. With these other ones, who knows what you'll get. 

It allows us to provide a certificate showing stakeholders and potential customers the proof that we take security seriously. Everyone says that they're on top of their security and have all these things in place. In a sales call, we can immediately respond to any questions about our security posture by pointing them to a link showing that your company was among the few companies that completed the full certification process. Veracode has four levels of certification, and we are at level three, I believe. 

To my knowledge, Veracode is the only real devSecOps pipeline that captures every component of the software delivery cycle, from sandbox and staging to development and production. You need to go through those four phases and ensure the code is secure by the time it hits production. Veracode handles all those phases seamlessly and can be automated with Jenkins.

Veracode is highly efficient at fixing flaws. A single person can go through and do a penetration test after collecting the data from Veracode. Instead of telling developers where the issue is, they can show them in the code editor for the static analysis. They can assign tasks to the team using Jira, so developers almost never need to do that work. They actually almost never go back and fix any of these vulnerabilities. That's why I was my company's most hated and most loved man. I forced them to do it.

I like Veracode's API. You can put it into a simple bash script and run your own security testing from your MacBook in less than 15 minutes. Veracode's application security consulting team is very helpful. They're responsive and follow up quickly. 

Veracode would benefit greatly from more training resources. The videos are great, but I would like more hands-on training writing a script, validating a script with a unit test in a different language, etc. That's something that would be very valuable. 

We have used Veracode for more than four years.

Veracode is highly stable. It very rarely crashes. 

I rate Veracode support 10 out of 10. Their customer support is incredible. If I have any issues, I can immediately connect with their support team and have a real working solution within one week.

Positive

Deploying Veracode is easy. I had the best customer success manager at Veracode helping me. After deployment, Veracode requires little maintenance. 

Veracode is inexpensive and cost-effective. The licensing model is unambiguous. You know what you are getting. They also give you several seats for training. That's why it would benefit them to improve the training because more people could take advantage of it and use certifications. Some certifications for other products don't have much real value, but Veracode is a product many companies use, so it could help people get jobs.

If you're concerned about the cost, you should meet with a representative to talk about pricing. Veracode is flexible, and they're willing to let companies try the platform or test different features. They will work with companies to get to the point where they'll use it.

I used JFrog X-ray with homegrown scripts for testing the code. It was terrible. We chose Veracode because it is more scalable. We could run scans on any code, and it was reliable. Also, their documentation was up to date. With other software providers, you would find an issue in the documentation, and they would backtrack, saying, "Oh, no one's using that." 

Veracode immediately responds to the community. You have people in the community supporting each other and suggesting new features. Software providers say they're open to suggestions. Veracode will quickly get something from the community and immediately put it into development. JFrog has the same stuff as they did four years ago. They haven't changed anything. 

I rate Veracode 10 out of 10. Veracode is constantly changing and improving. 

We use Veracode for SAST and SCA. We are moving towards dynamic analysis as well. We use it now to scan our artifacts and reports, and very soon we are going to use the Veracode plugin for our IDE to have immediate results for security analysis purposes.

Before integrating Veracode, we were getting so many security vulnerabilities on higher branches. We integrated it to fix that. It prevents vulnerable code from going into production. We have fewer vulnerabilities and bugs.

We are getting the security vulnerability results on a day-to-day basis. Our pipeline is running every hour, and we are getting early feedback, giving us a shift-left approach. On a daily basis, we are able to rectify issues rather than find them in production or pre-production.

It provides visibility into application status at every phase of development. We have our initial feature branch, or low-level branch, and then we commit. The pipeline is running, so we will know about things immediately. This is quite valuable for us.

The SCA, agent-based analysis, is valuable. SAST and DAST take time, while this is quite fast. It gives the results very quickly. We have implemented it into our CI/CD pipeline.

Another aspect that is quite good is the policy reporting for ensuring compliance with industry standards and regulations. Initially, we were using freeware tools, but we are quite impressed with how Veracode gives the most detailed and latest vulnerability and security information.

I have been using Veracode for almost a year.

It's a stable solution. There are no problems. The stability is a seven or eight out of 10.

We connected with Veracode's support a couple of times, and we got a different answer each time.

Neutral

We used to use Snyk and other tools. The switch to Veracode was an enterprise-level discussion, and I was not involved.

It took some time to see the benefits, around six to eight months.

Although Veracode doesn't scan source code, only binary code, I'm not concerned because we can scan the source code with an SCR tool.

Veracode hasn't yet helped our developers save time. Their development time has increased because, initially, we were only taking the security and vulnerability issues on the higher branches. Now it is on lower branches as well, so the development time has increased. In the local branches, if a report indicates something has not passed, we are not allowing them to merge their code into higher branches.

We have it deployed in a multi-cloud and hybrid environment. We are using AWS, Azure, and VMware vSphere.

Overall, I would recommend Veracode. It is quite helpful.

We used Veracode for code scanning and source composition analysis.

Veracode can block vulnerable code from going into production.

The SBOM is a good option for companies that are asked about their SBOM.

The SBOM helps manage our risk.

Generating SBOM reports is not difficult, but setting up the necessary infrastructure for analysis takes time.

The policy reporting is incredibly robust.

Veracode provides visibility into application status in every phase of development.

The source composition analysis had very good reporting.

Veracode's long scan time for vulnerable code can hinder productivity. There is room for improvement in this area.

Veracode produced a lot of false positives.

Veracode's ability to fix flaws is less sophisticated than that of its competitors. For example, Veracode's static analysis scanning workflow for flaws is not as highly developed as Checkmarx's or Snyk's. Veracode would often provide incorrect sources and fail to identify the source of malicious user input coming to the team.

The process of bundling binaries or code for scanning could be improved.

I trialed Veracode for two weeks. 

In our short trial period, we did experience some stability issues.

Veracode scales sufficiently.

I worked with Veracode's technical consultation staff and found the agent to be incredibly knowledgeable and sophisticated in their use of Veracode, as well as in vulnerable load patterns.

Positive

The deployment was complex.

Ten people were involved in the deployment.

We used the experience of engineers who had used Veracode in the past, as well as feedback from Veracode's engineers.

Veracode's pricing is competitive.

I believe Veracode would be willing to negotiate decent terms for organizations that are concerned about the pricing.

We also evaluated Checkmarx and Snyk, respectively. This puts them at a slight disadvantage in terms of identifying execution paths and their ability to comprehensively show how vulnerable code is executed in our solution.

I would rate Veracode six out of ten.

Once Veracode is fully configured, the maintenance should be relatively minimal.

Veracode's best advantages are detailed reporting for industries such as government work, or other industries that may require exceptionally detailed reports or secure security verifications. However, I would suggest that people look out for the accuracy of results and the usefulness of findings on a large scale. Additionally, Veracode has a difficult-to-navigate user interface.

We use Veracode to test for errors in the code in the applications we are building within our service pipelines.

Veracode assists in preventing vulnerable code from entering production. It is essential to ensure that our applications entering production are free from errors.

It has assisted our organization by providing a report that we can share with our developers, identifying vulnerabilities in their code. This enables them to address the issues before the code is put into production.

Ever since the implementation of Veracode, I have noticed that the processes for rectifying the issues in our pipelines have become much easier.

Veracode helps our developers save time. The solution has simplified the coding process for our developers.

I would rate Veracode's impact on our organization's overall security posture as nine out of ten. The solution has been beneficial to us daily, and we haven't encountered any issues with their solution so far.

The capability to identify vulnerable code is the most valuable feature of Veracode.

There are times when certain modules cannot be scanned automatically, requiring us to manually select these modules and initiate the scanning process on our side.

The vulnerability report has potential for improvement and should encompass more detailed information about the vulnerability, rather than solely identifying it.

I have been using Veracode for three years.

Veracode is stable.

I believe Veracode is scalable, but I am not certain.

I rate Veracode a seven out of ten.

I recommend Veracode. The solution only requires a one-time configuration into the pipeline and the testing is done automatically. 

Integrating Veracode with our pipelines is an easy process. We simply use VML files and the integration is done automatically for us.

We currently have approximately 55 microservices, composed of various teams. Altogether, there are about 170 people utilizing Veracode.

I recommend becoming as familiar as possible with Veracode before using it. Even watch online tutorials to ensure that the deployment goes as smoothly as possible.

We use Veracode for product testing.

We exclusively utilize Veracode for a product used in our consulting services, which we provide on a licensing basis.

We deploy Veracode in the cloud and can utilize any cloud provider, including Google Cloud, Azure, and AWS.

Veracode's ability to prevent vulnerable code from entering production is both effective and thorough.

The SBOM feature is straightforward, making it easy to create reports. The SBOM feature is crucial to our organization because we can utilize the report to effectively present a product to customers, demonstrating its viability and security. 

Veracode has helped us improve our secure coding practices, which, in turn, has boosted our confidence in selling our products.

We were able to experience all of Veracode's benefits for our organization within the first year.

Veracode helps to provide visibility into the application's status at every phase of development. This helps us ensure that our code is secure from the start, saving us time that would otherwise be spent sorting through bugs at the end. 

Veracode's false positives are beneficial for our developers as they assist in organizing and understanding the implications of these false positives.

Veracode has helped our organization address flaws by identifying our mistakes. The initial usage of the solution was challenging due to the large number of code lines that needed to be read, but it became easier over time.

I find all the features valuable, especially dynamic scanning, static scanning, and software composition analysis.

When we engaged Veracode to conduct the manual penetration testing, they were extremely slow in completing the task and delivering the report, causing a delay of two to three weeks for us. The duration of the manual penetration testing process needs to be improved.

The cost of the solution can be reduced.

I have been using Veracode for two and a half years.

Veracode is a stable solution.

Veracode is scalable. Veracode is used by around four people in our organization.

The technical support response time is slow. 

Neutral

The initial setup is straightforward. Veracode is a virtual platform, so all we need to do is upload the code, and it will be ready to use. The deployment was carried out by one of our senior product managers.

The implementation was completed in-house.

Veracode's pricing is on the higher end, but it is acceptable.

We evaluated multiple solutions, including BlackBox, three years ago. However, Veracode was the only solution that had all the features and also had a proper certification system in place. The other solutions did not provide a comprehensive suite. For instance, they offered static scanning but lacked dynamic scanning, whereas Veracode provided both, along with a training module.

I give Veracode an eight out of ten. The solution is comprehensive, albeit a bit costly.

We have not observed any impact on our policy reporting and compliance with industry standards and regulations since we started using Veracode.

The false positive rate is slightly high, but we are able to manage it. The false positive rate of the static analysis has not affected the time we spend on the tuning process.

Veracode has not affected our developers' time significantly, as the response rates for certain tasks have been slightly slower.

I recommend conducting a cost analysis and rate of return evaluation to determine whether the solution is worthwhile. I highly recommend using Veracode for complex products, but it may not be as valuable for simpler ones.

Veracode does not require any maintenance.

I have learned that it is necessary to plan our strategy for the product and security prior to using Veracode.

I worked as a security tester for a service-based Indian IT company. I had the admin right on the application where I used to provide access to other developers so they could execute unit-level tests directly from their console. There are many types of security testing activities, such as false positive analysis or looking into the code from a secure point of view, getting the mitigations done, and then retesting the applications.

We initially had more than 15,000 vulnerabilities. Veracode helped us to regulate all the teams. I gave the consult level access and a basic level of access to developers. My manager and I trained the developers in secure coding practices.

DevSecOps is a process that helps improve security in software development. From a DevSec perspective, it is a great way to improve security in software development. However, from a DAST perspective, it is not as good because the results cannot be easily integrated into the CI/CD pipeline. Integration with Jenkins is seamless. It didn't make much of a difference for us, but it could be different for other applications of the latest technology. Veracode has the feature of issue creation in the Jira portal itself. For example, if we're scanning an application and Veracode reports 15 issues after the security scan is complete, the solution will automatically create Jira tasks related to security, which can be assigned to the appropriate developers. Veracode is good from that perspective, but it needs more evolution. The solution needs moderation because if by some chance a big module or issue pops up, we could get 10,000 issues. That would be a real complication from the Jira point of view.

When it comes to false positives, I used Veracode for two-and-a-half years and it has been fine and fair.

When our developers find a false positive it doesn't make much of a difference. They are just happy knowing what is wrong and right. Developers know how to code, but they don't know secure coding. We are generally there to guide them and most of the time, I used to do the false positive analysis by myself and not leave it to the developers. The developers would get a refined and concrete number of vulnerabilities to quickly work on. In some cases, the developers also find issues that we missed because we have to work on multiple applications at once.

I don't believe there's any cost related to the machine-learning side of Veracode, but it takes a lot of time because SaaS issues are those that couldn't be resolved by a junior or intermediate-level developer generally. Most of the time, these issues are resolved by people with five-plus years of experience because there are security issues. To understand the security complications, we need to have some knowledge of the architecture and design levels of the application. If we don't have design-level information, it's difficult to correct. Without a senior-level developer to guide us, it can cost us a lot. The senior resources getting deployed could be used elsewhere for more development activities. However, the mitigation is provided by Veracode and the detailed report is very good.

Veracode has helped fix flaws affecting our organization by making the applications a lot more secure.

We use a code review-based tool, so the unique aspect of Veracode is that it is really good for legacy or old technologies. It can scan old databases and old code written 20 years back.

Depending on the technology we are working with, the solution's ability to prevent vulnerable code from going into production whether it is Java-based code or ASP.net, the efficient number of identification codes is the best in the market for legacy technologies. I would use Fortify or Checkmarx to test accordingly using the latest code.

The best feature I like about Veracode is the ability to give low-level access to accounts. The identity access management system is really good and we can even integrate it with the ID. For example, if we're coding in Eclipse or something similar we can push the code from the ID directly into Veracode's backend to have its security tested. It is cloud-hosted and the downtime is very minimal. We could check the results anywhere, anytime. This makes the platform's independence very good. 

The solution provides visibility into application status at every phase of development. We can see and make adjustments accordingly at each level.

Veracode is a great solution for old applications. I would only recommend Veracode for older applications.

One of the most important areas that need improvement for Veracode is its DAST. Veracode's DAST engines are primitive. They need to work on that. It needs to be their number one priority.

The number of vulnerabilities and quality of the latest technology when compared to other scan engines such as Fortify and Checkmarx is not as good.

Veracode has multiple sides when it comes to dynamic testing. They offer software composition analysis, dynamic scans, and static scans. However, I would not recommend Veracode for dynamic testing because it wasn't able to scan many of our applications properly. Some of the other solutions were really efficient and proactively reported a lot of vulnerabilities. The Veracode scanner was not able to properly scan the applications because of authentication issues and login issues. HP Web Inspect and Microfocus Web Inspect allow us to make scripts by ourselves, which will then enable the scanner to scan the website in a more proper and systematic way. There were a lot of complications with Veracode's dynamic point of view, and a negligible amount of vulnerabilities were reported. On the other hand, when I tried Next Parker or Micro Focus Web Inspect, things were really good.

If we have to scan the latest code, for example, if we have written a piece of code in Angular or Node.js, we can't consider the solution because it is not as good as other solutions using newer code.

I have been using Veracode for two and a half years.

Veracode is stable, but every now and then something breaks. From a stability standpoint, I would give the solution a seven out of ten.

Veracode is scalable. I give the scalability a ten out of ten.

The technical support is really slow. Their availability is sparse. It sometimes takes two months to have a resolution.

Negative

I started my career with Veracode, a DAST review tool. I worked there for two-and-a-half years.

The solution is not deployed on our systems. It is cloud-based and only requires logging on.

The requirements for the code determine whether Veracode is the best option or not. If the code is 15 to 20 years old, and it is very important, then Veracode is the best option. If the code is very new, then I wouldn't want to spend any money on the solution. It all depends on the requirements.

There is a fee to scale up the solution, which I consider expensive.

We did POCs and collaborated with Fortify, Veracode, and Checkmarx to see who gives the best results for all the applications. Veracode gave the best results, so we chose them for our organization.

I give the solution a six out of ten.

Veracode has not directly helped our developers save time. There was no interaction between the Veracode team and us, so it was minimal whenever some issues such as false positives are reported by the solution. There were some issues with the Veracode engines a few times that required customer support to resolve.

I used to go to Veracode's website and log in. It was updated automatically, and I could access it from multiple devices. I'm not sure which cloud they were using, but it was managed by Veracode.

We have around 18 people using Veracode and two of them are administrators.

Veracode is accessed via a website on the internet. Their backend team takes care of any maintenance that is needed.

We use Veracode to find any vulnerabilities and for risk management.

There are multiple ways to use Veracode. We can use Veracode directly in our ID environment, and we can use it in the UI environment in our platform. We can integrate it with GitHub or GitLab. We can also install SourceClear as an agent.

It helps to reduce the application risk rate. It checks for any vulnerabilities or CVE IDs against its database. If any vulnerabilities are present, it gives suggestions, remediations, and fixes. They have recently started with Veracode Fix, so the auto-fix capability is there for your code.

Previously, it was very difficult to find vulnerabilities and scan threats. It is a primary need to maintain the security of our code. Veracode is a good option. It provides all kinds of features for developers.

Veracode checks for vulnerabilities in the static code, third-party libraries, and infrastructure. If there are any vulnerabilities in your static code, it will provide them. It can also auto-fix them with Veracode Fix. For Web APIs, there is a solution called DAST Essentials. It came out recently, but it is a very good solution.

It has been a year since I have been using Veracode, and it has been very helpful. It gave me the vulnerabilities present in my code, such as SQL injection, and the fixes for them. It gives good suggestions to improve the score of our code base. It gives a lot of things.

I started using Veracode Fix about one month back. It can automatically fix whatever vulnerabilities are present in the code. In GitHub, it shows the line numbers that it has fixed. It also provides a reason to fix them. It also gives a report based on your policies. If any high-severity vulnerability was there, it tells you how it was fixed. Everything is given in detail in the reports. It is very good.

Veracode's policy reporting is good for ensuring compliance with industry standards and regulations. I would rate it an eight out of ten for that.

Veracode provides visibility into application status at every phase of development, but the option of infrastructure and deployment security is not there in Veracode. They have probably started working on that.

We use third-party libraries, and it suggests using only the safest versions. It gives suggestions on vulnerabilities that are present and how to fix them. It is very good. It makes our code secure.

Veracode saves 10% to 20% time of developers. 

I like its integration with GitHub. I like using it from GitHub. I can use the GitHub URL and find out the vulnerabilities. It maps everything for you. It gives suggestions and remediations.

They should provide infrastructure management. They have not included any infrastructure security. Kubernetes images are also not there.

Their scanning engine is sometimes a little bit slow. They can improve the scan time.

I have been using Veracode for more than one year.

It is stable. I would rate it an 8 out of 10 for stability.

It is scalable. We have 5 projects. In every team, 2-3 people are using Veracode. We have a dashboard, and through that dashboard, we log in to our account. We are also using a GitHub wrapper.

We have a sprint of 2 weeks, so every 2 weeks, we deploy code. We have a team of 10 people, and at a time, at least 5 people are involved in the deployment.

They have an Application Security Consultation team. Veracode support is also there. We can email them for any issues, and we can also connect with the ACS team through a Zoom meeting.

Their documentation is also very good. In the case of any issues, we follow the documentation.

Neutral

I have previously worked with SonarQube. The decision to switch to Veracode was taken by our management.

Veracode is better than SonarQube. In SonarQube, you need to give individual code, and then it fetches the details. With Veracode, you can get details about your entire application. Veracode Fix is also there to auto-fix the code. For web applications also, so many things are there with Veracode.

It is a very good product. Veracode Fix is also there. It gives very good solutions about the code and its reusability and fixes. It has been there for the last 17 years. Without such a solution, it is very difficult to find vulnerabilities and manage fixes. 

I would recommend using Veracode. It has good features. It scans your source code and your third-party libraries. There are a lot of new products in the market, but Veracode is good.

Overall, I would rate Veracode an 8 out of 10.