Veracode Reviews

Previously, finding security issues in our complex healthcare software was a time-consuming process. Manually reviewing all logs took half our time. However, Veracode has revolutionized our workflow.

With Veracode's automated solution, we now receive daily reports highlighting security vulnerabilities. This allows us to address issues promptly, significantly reducing the previous two to three-week investigation period.

Veracode also eliminates the need for manual testing, freeing up our team for other tasks. Its user-friendly interface provides comprehensive scans, and detailed reports, and even pinpoints specific lines of code causing issues.

This shift-left approach has greatly improved our development process, resulting in fewer customer complaints. Proactive vulnerability detection and efficient issue resolution have significantly enhanced our team's productivity.

Veracode does a great job preventing vulnerable code from going into production. For enterprise-level companies, saving time is paramount. Previously, manual testing took days and still didn't uncover as many issues as Veracode now identifies. Despite having a skilled testing team, their workload has been reduced by 70 percent thanks to Veracode. This newfound efficiency has revealed vulnerabilities we wouldn't have found otherwise. Veracode excels at showcasing issues and their severity, extending beyond violation errors to encompass potential security risks and logic-related issues. Its user-friendly interface simplifies the process for all users, regardless of their technical expertise. As a developer, I recognize the immense effort behind Veracode's seamless operation. It automates the grunt work, freeing up our developers to focus on other tasks.

The policy reporting for ensuring compliance with industry standards and regulations is good. Veracode covers a vast majority of industry standards and identifies areas within our code that don't comply with those standards, providing remediation suggestions.

Veracode provides comprehensive visibility into application security throughout the entire Software Development Lifecycle. During the coding stage, Veracode scans the entire codebase for vulnerabilities. Additionally, we utilize Veracode's static analysis capabilities for further security assessment. Once the product is published and deployed to the production environment, Veracode analyzes the entire software stack to identify any potential security risks. In short, Veracode plays a vital role in various stages of our software development and production process.

Veracode has significantly improved our speed in fixing software flaws. It has also transformed our approach to addressing issues. Previously, we spent considerable time investigating the root cause of errors in the code. Now, thanks to Veracode, we can devote more of our intellectual resources to directly fixing the system, which ultimately results in a more efficient product for our users.

It has significantly reduced our build time. We automate our builds every day, running them between 3:00 AM and 5:00 AM. Once the build is complete, Veracode scans the entire build and provides a report by 6:00 or 7:00 AM. This allows us to review any new issues in the build by the time we start work at 9:00 AM, enabling us to address them quickly. Previously, this process took several days, but with Veracode, it now takes just a few hours. We now continuously review and fix issues every day, leading to significant time savings compared to our previous weekly review process.

Veracode has significantly enhanced our security posture by improving our security practices and increasing the efficiency of our security team. Additionally, we are now experiencing a decrease in the number of errors reaching production. Previously, our development process involved developers building and deploying code, then sending it to the security team for evaluation and subsequent feedback. This cycle is often repeated multiple times, leading to delays and inefficiencies. However, with the implementation of Veracode Greenlight, developers are now empowered to test their code directly, effectively shifting our first layer of security. This shift has enabled us to deliver even more secure products while simultaneously saving substantial amounts of time.

I would like Veracode to add more language support.

To use the Veracode extensions, we need to create a file in a folder and name it "prevention and filters." It would be more user-friendly if Veracode could automate this process by creating the file automatically when the Greenlight extension is installed. Additionally, a pop-up tool for security could be shown to guide users through the process making it more user-friendly.

I have been using Veracode for six months.

Veracode has been a stable platform for us to date.

Veracode can scale based on the price tier selected. I would rate the scalability of Veracode a nine out of ten.

The Veracode support team is excellent. I had an issue removing an account, so I emailed support. They created a case for me within one minute and sent me an automated email with a registered ticket. Within five to ten minutes, I was contacted by a support representative who quickly understood my problem.

My account had expired on the platform but hadn't been deleted from the backend. The representative understood this right away and provided a solution for a hard delete. He was also very knowledgeable but explained that he needed the administrator's permission to proceed. He suggested I add him to the thread, and everything was resolved smoothly.

Positive

I would rate Veracode a nine out of ten.

Minimal maintenance is required for Veracode.

We are not concerned that Veracode does not scan source code, as we believe scanning binary code is a more advantageous option.

Since security is paramount for applications, utilizing Veracode to identify and remediate vulnerabilities is a wise investment. This approach frees up valuable time and resources, allowing for more efficient progress.

Veracode helps us identify bugs and flaws in our code while operating it. We use the solution's static analysis feature to analyze code before running applications dynamic analysis that scans the app while it's running.

We typically run Veracode at the end of the development phase when we are ready to launch our software. We also scan for vulnerabilities after the software goes into production. It's the final phase of our development cycle.

Veracode has reduced the amount of time we spend manually investigating our code. It has also enabled us to identify and fix bugs earlier, so we don't need to release patches after a product is launched. 

The false positive rate is quite low, which is critical. If it had a high false positive rate, it would be difficult to trust this software. We can discover lots of errors and bugs manually, but this software enables us to clear any error or compliance issue with a low false positive rate. It's highly efficient in that sense. We can trust the process, so we spend less time investigating issues manually.

In one development cycle, Veracode usually saves us four or five hours of human work that goes into checking the code, finding errors, and fixing them manually. The remediation is also built into the software.

Veracode is easy to use even if you're not a security professional. I like the dynamic analysis feature, which offers a lot of cost savings when used in production. Veracode helps prevent vulnerable code from entering production, and it has a low false-positive rate, so it can reliably find real vulnerabilities. 

The software bill of materials feature has proven helpful in finding bugs and flaws that may cause problems in our product when we launch it. It has helped a lot to exponentially reduce the cost after the launch cycle. It is quite easy to create reports and perform a detailed analysis because much of the process is automated. It can fix most issues automatically.

The scanning could be a little faster. The process is around three or four minutes, but it would help if it could be further reduced.

I have used it for four months.

We haven't experienced any downtime since we started using it. It is highly stable. We haven't seen any server crashes from their side. 

Veracode can handle lots of processes, so I would say it is scalable.

I rate Veracode support eight out of 10. The response times are fast. If we have a problem, they respond within four or five hours. 

Positive

The setup process was straightforward, and the Veracode team guided us through the deployment, which took about four or five hours. It only takes one person to install the solution. It doesn't require any maintenance after deployment. 

Veracode has eliminated a lot of manual security processes that cost a lot of money and time. It has saved us lots of time and money for development.

The cost of scanning code is cheaper. It's typically $0.50 per line of code. However, it's expensive to run a high-level process that would normally require a human security expert.  For example, penetration testing costs about $1,000 per application for penetration testing. The cost of these features may be too high for smaller organizations. On the other hand, Veracode's interactive application security testing is fast and cheaper compared to other software. 

I rate Veracode nine out of 10. If anyone is considering Veracode, I suggest trying a demo beforehand so that you can see how it addresses the kind of problems your organization is facing and how it works with the programs you are creating. 

We use Veracode for static application security testing (SAST). We also use it for scan or software composition analysis (SCA) testing purposes. We mainly use it to triage the flaws or vulnerabilities that are found in our coding standards so that we can enforce secure coding practices at the developers' end. Because we are a part of the security team, we provide mitigation for the development team on all the SAST vulnerabilities that we come across.

We use it for static application security testing. It helps us with proactivity. Before the product or the application is deployed on the production environment, we have a DevSecOps pipeline that kicks in, and we are able to triage the flaws or vulnerabilities that Veracode shows based on our policies using the Open Web Application Security Project (OWASP). Veracode definitely helps us to go through the vulnerabilities and fix them before they go into production so that bad actors cannot exploit them.

In terms of software composition analysis or SCA, we have come across several libraries and packages that were vulnerable and detected by Veracode. We work on getting the latest updates or packages so that we do not fall back on the security front.

When it comes to visibility, I am not sure whether it is through Veracode, but we have our pipelines built on Azure. We do get to see whenever a scan is kicked off and whether the Veracode check has passed. There is no direct visibility in Veracode apart from the dashboard, which does have information about what type of scan has been performed and whether it is a policy sandbox or just a testing sandbox.

Veracode has been fairly decent for fixing flaws. We have mainly been using it for SAST. For DAST, we have our AppScan from HCL, but Veracode is fairly decent for fixing flaws or trying to be proactive and ensuring all of our applications have been securely developed.

In terms of policies, it works fine. Our policies are mostly predefined. They were defined by our previous team. We look into the policies based on the scan dates.

From a developer's perspective, Veracode's greenlight feature on the IDE is helpful. It helps the developer to be more proactive in secure coding standards. Apart from that, static analysis scanning is definitely one of the top features of Veracode.

Recently, I came across a new workflow, which I had seen in Checkmarx, that shows how a vulnerability flows from the start point to the end point of a function. 

There can be a lot of improvement. It does not have a reporting structure for an OS-based vulnerability report, whereas its peers such as Fortify and Checkmarx have this ability. Checkmarx also provides a better visibility of the code flow.

Veracode is 75% or 80% accurate. At times, we do come across a lot of false-positive cases, but this is an issue with all security tools. Unfortunately, we do not see an option to set the policies because policies are predefined. Overall, when comparing it with its competitors, Checkmarx is better than Veracode in false-positive rate. Veracode's false-positive rate is decent. It is not too good and not too bad, but there is a lot of room for improvement. I personally found Checkmarx to be more accurate than Veracode. This false-positive rate has an effect on the security team because, for a false positive, a developer raises a ticket for us, and our job gets a little bit more hectic because we have more vulnerabilities to create rather than focusing on the positive ones. It is daunting when too many false positives are being reported by the development team for triaging purposes. However, in one of the calls related to their roadmap, I saw a feature where you can go through the code, and it provides you with some mitigation. 

I used Veracode at the beginning of my career from 2017 to 2019. I then switched my job, and my next company used Checkmarx, which is a competitor of Veracode. I changed my job again in 2021 and have been using Veracode in this company. Overall, I have close to three years of experience.

It is pretty stable. I would rate it a nine out of ten in terms of stability.

We are using the SaaS offering, so it is pretty scalable. I would rate it a nine out of ten in terms of scalability. 

Whenever there is a flaw that we cannot understand, we have something called Veracode consultation. We raise a ticket and follow up on the ticket. That is it. They are well-versed. The only challenge I face is that I am based out of Ireland. The time zone is a pretty big issue for us most of the time. Whenever we have a code support call, the majority of the time, it happens late at night. That is one of the reasons why we tend to skip the consultation calls. I would rate their support a nine out of ten.

Positive

I have worked with Checkmarx in another job. I prefer Checkmarx over Veracode. Checkmarx provides a better visibility of the code flow. Veracode also has code flow, but it is in IDE, so you need to manually jump through the code and check the flow. It is easier for someone with experience, but someone new to the security domain will find it tough, especially when there is no clear picture of the workflow to know what is going on. This is a feature that I would like in Veracode.

It is a SaaS or cloud solution. It is definitely not on-prem. We sign in using a single sign-on.

I was not involved in its deployment. There is no maintenance as such. 

To those evaluating Veracode, I would say that unless you get hands-on experience, it is difficult to evaluate. So, I would advise getting hands-on experience with the tool. I would also advise checking out other solutions such as Fortify and Checkmarx.

Overall, I would rate Veracode a seven out of ten.

Our primary use case for Veracode is to secure our software development lifecycle. It's deployed in a couple of countries and connected to multiple applications. It's used by five development teams, each of which has a different focus, such as digital channels, CRM, ERP, backend deployment, and billing. We also have a team that coordinates all of the efforts of the secure development policies. That team sets the guidelines and policies. The entire development team has about 20-30 people. 

Veracode has sped up the development cycle, helping us bring products to the market faster. I work at an IT services company with hundreds of customers who have various needs for different kinds of tools. That doesn't mean we use Veracode for all our customers, but for certain customers, it's critical because the solution reduces the amount of time needed to prevent and detect issues. Bringing secure applications into production is essential. 

We can't just rely on our development teams to make, test, and manually review the code. We need powerful tools that provide a strong framework for detecting vulnerabilities and scanning application components. Penetration testing is the most important because hackers break into the application and access the information. 

Dynamic analysis is also crucial for web applications, which can be risky. Veracode can dynamically detect vulnerabilities and block traffic. It is sometimes hard to differentiate real users from hackers. Dynamic analysis must be implemented with a user-sensitive perspective. 

I work in Latin America, and there are regulations on information security and the use of customer information. The most vital areas are things like health information and finance. You can face penalties for failing to protect customer information, so it's critical for us to secure our code during development. Any vulnerable code or application component can risk disclosing customer information from customers and allowing an outsider to penetrate the systems or databases.

Veracode offers visibility throughout the entire development lifecycle. SecOps is an essential framework inside the organization currently because we need to deliver applications to market faster while improving code quality. It's crucial to be careful when using code generated by community sources. We need to test the final applications and also the components and packages in any code repository we use. 

We're deploying complex pipelines and utilizing CI/CD. For example, Veracode is important when connecting management tools, code repositories, and various cloud components. Having that integration and capacity to connect to various tools in the DevOps framework is vital for the DevOps team. Every business must decide its risk tolerance and set a threshold of vulnerability permissions in the application to detect. It's really powerful if you can configure the threshold correctly. 

Developer confidence depends on their capacity to understand, and Veracode has to detect vulnerabilities and provide suggestions for correcting them. Sometimes it's an upgrade; sometimes not. It also provides different kinds of information to the developers. 

Veracode has had an enormous impact on our ability to detect flaws. It's risky if we don't have the capacity to detect vulnerabilities in the earliest stage of development before the applications go into production. It's also an important time-saving tool. It reduces the time spent manually addressing vulnerabilities by about 20-30 percent. 

I like Veracode's static analysis. It was one of the core development tools when I worked with a telecommunication company where we were delivering new features for various applications and purposes each week, such as CRM, data channels, compliance, traffic data, etc. 

Most of the time, the key thing was to ensure the security of digital channels and reduce the risk of any breach that could cause a security issue. It's critical to maintain the security of sensitive information transferred from our customers to the sales staff. Keeping that data secure is important for the customer relationship and also for compliance and recurring sales.

I rate Veracode 10 out of 10 for its ability to prevent vulnerable code from entering production. It has a lot of useful and intuitive features. In previous settings, static analysis was one of the primary use cases, but dynamic analysis is also helpful. Veracode is highly valuable because one vulnerability could result in service downtime or worse: a leak of customer information. 

The investment in the tool is justified because we can detect and prevent vulnerabilities much earlier in the process. Software composition analysis is also vital when we use open-source middleware or backend components for business-critical functions like bringing information from one source to another or connecting one application to another. 

Veracode can improve the price model and how they bill the final offer to customers. It's based on the amount of traffic. For example, you can buy 1 gigabyte distributed across various applications, and each one can consume part of the whole allotment of traffic data. 

You pay for all of the time that the tool is running, not for the number of scans. There are specific rules governing the amount of traffic applications can consume from the allotment you have. I would like the pricing to be more personalized. For example, some companies don't have a large budget for this kind of tool, whereas a large enterprise can acquire this kind of solution and pay for it. However, I'm an IT consultant working with various types of customers in different industries, including finance, insurance, and telecommunications.

I started using Veracode at least three years ago.

Veracode is a highly stable platform. I haven't experienced any service disruption, and the performance is solid. 

I've used Veracode in a telecommunication company with a huge environment and more than a hundred applications. I don't have experience with smaller-scale use cases, but I know the cloud is quite scalable. 

I rate Veracode support nine out of 10. We get support from the resellers and direct support from Veracode analysts. We call the support team or the architect when there is a serious technical isssue. 

Positive

I haven't used a commercial tool like Veracode before. It depends on where I'm working, but the most common tool we use is an open-source solution called SonarQube. 

Veracode is straightforward to deploy. It's not hard to connect it, and we had support from a local vendor to help us integrate it into our dev lifecycle. It required only one person from my team. 

We had assistance from our local reseller, and the experience was great because we had a direct connection from the partner to the brand. We have a local team member who was in charge of the resell process. 

We calculate the return on investment primarily based on the risk. We calculate the ROI annually, but it's not very detailed. We factor in the risks associated with the loss of customer information loss, penalties for noncompliance, etc. In the worst-case scenario, we estimate that could potentially lose up to $1 million annually. 

The licensing model could be more flexible, and Veracode could be more accessible to smaller enterprises. We obtained Veracode through a consultancy. Veracode sets the price through consultation with our reseller, but I have yet to get a direct quotation without any other reseller in the middle. If you are worried about the price, I would say that you could request more information and do a trial, then see if you can negotiate an offer. 

We decided to use Veracode without comparing it to any other kind of solution, we had a kind of consultancy from one of the companies, the IT services company that was one of our partners, and they worked close to us, and we selected Barracuda the tool that we needed.

I rate Veracode nine out of 10. It's an excellent solution for securing the development lifecycle. I recommend starting with a trial and getting in touch with the account team to explore all of the different features. 

Veracode is our primary tool for identifying and resolving security flaws in our web-based applications. When I started at Advantasure, I worked on a claims product, using the tool to remedy coding issues and identify high-risk security flaws. I did that for a while before transitioning to a role as an application security engineer. In this job, I don't fix any security flaws. I help operate the environment. 

We have integrated Veracode with Jenkins so that we can automate building and scanning code. Jenkins uploads the build to Veracode for static and SCA scanning. 

I'm working remotely through a VPN. When I log into Veracode, I check the various applications out to ensure everything's running. If we have any issues, I report them to the appropriate teams. 

We are in the health insurance industry, so compliance with security and privacy regulations is essential. Veracode is the industry standard. We use Veracode when we do internal audits and that sort of thing. You won't be in business for long if you don't have an industry-standard static security tool.

I have only worked at this company for two years, so I can't comment on what it was like before I joined, but Veracode does a good overall job of interfacing with us and giving us advice about areas we can improve. The company has used Veracode for a while, so it's not about improving per se. It's about maintaining and learning to use the tool better or making better use of dynamic scans. Our security doesn't depend on one feature. We're implementing multiple features, such as static and dynamic scans. 

Their policies are relatively helpful for compliance. The policy configuration tool works well. We try to use one policy to cover all our applications. Once we've configured the policy correctly, it does an excellent job of applying that to each application and ensuring compliance. Veracode provides good visibility, and the reports are integrated, so we get insight into each type of scan.

Veracode's false positive rate is decent overall. The biggest challenge isn't a C or C++ call, but it's tricky to follow the data flows when using a web interface. You get a few false positives every once in a while. 

I always tell our developers to verify all false positives because Veracode cannot follow your code flow. It's up to the developer to follow the code flow and check whether it's a false positive. The initial report is an excellent place to start. I don't think the false positives affect developer confidence. I never hear anybody complain about false positives.

The biggest challenge isn't Veracode; it's getting our developers to be compliant. Our organization is undergoing some changes, and we must remind the developers to do their jobs. As an application security engineer, I struggle to get developers to do these tasks because they don't want to do them. At the end of the day, the false positive rate doesn't affect developer productivity.

Veracode doesn't really help developers save time because we're already a mature organization. Their support team has helped us optimize our scan configuration significantly. Regarding the regular developers' goals, we have existing documentation and hold meetings with them. They do support consultations when developers have an issue. 

I like Veracode's static scanning and SCA. We use three static scans, software composition analysis, and dynamic scans. We haven't used dynamic scanning as much, but we're trying to integrate that into our environment more. 

For the most part, we've had good luck with the static scans as well as the software composition analysis scans. Veracode does a decent job of catching most vulnerabilities from making it into production, but it doesn't catch everything.

I have a few pet peeves and minor areas of irritation. Their customer success team does an excellent job, but getting their internal engineering team to do things isn't easy. They seem to lack a focus on maintaining the solution and improving it in the next generation. 

It's a common problem in the industry. Software developers are always thinking about the next big thing but lose sight of what's happening right now. If you have an idea for a feature request, you must submit it to be voted on by the Veracode community. I don't like this. No one will look at it unless enough people vote for it. 

Another issue we have concerns entry points. You must select the entry points for a static scan of your stuff. However, you can fix this by having templates in  Jenkins. Things can sometimes change, confusing Veracode. I want to lock those entry points in. Eventually, our DevOps team will create templates for everything. If I want a new template, I need to submit it to the community and get my peers to vote on it. It's a waste of time. 

I have used Veracode for two years.

I've been impressed with Veracode's stability. The solution doesn't go down often. The dynamic scans went down the other day, but that was a problem with the infrastructure, and AWS rarely has outages. Overall, it's dependable. 

We haven't had any scalability issues with our current scan volume, but we're a medium-usage client. We have more than 30 static scans and 12 to 15 dynamic scans and don't seem to have issues with performance. 

I rate Veracode support 7.5 out of 10. Overall, our technical support is decent.  You have to find someone who works well with you. My biggest challenge is dynamic scanning and getting up to speed on that. You must find out who's good and stick with them as much as you can. 

Neutral

Our ROI comes mainly in the form of compliance. We get a star rating when we're automated, and we need to maintain that. We currently have a fairly high rating, so it's not so much about gaining stars. We need to avoid losing them. By maintaining our high rating, we can also gain more clients. 

Veracode is expensive, but other solutions cost as much, if not more. For example, Rapid7's dynamic scan tool was at least as expensive as Veracode, and Rapid7 wasn't willing to negotiate. We are a reasonably large user. 

It's a fair price. If you're worried about getting your money's worth, you could ask Veracode for a trial license and compare it to other tools in terms of pricing versus features. That's how I would do it. It's crucial to do your homework. At this point, we're somewhat locked in and won't change unless we find something significantly cheaper or better. 

The company looked at other options, and we try to do one-stop shopping when possible. We looked at other tools like Rapid7 but decided against doing a proof of concept because it doesn't offer static analysis. I don't think they could do software composition without static analysis. 

We could use Rapid7 for dynamic scans, but then we would have issues with report integration. One of the primary reasons we use Veracode today is that they have solid support. They typically respond to almost any ticket within 24 hours. Veracode also does an excellent job of integrating its various tools for static scanning, dynamic scanning, etc. 

At the end of the day, we stay with Veracode primarily because of the solution's integration. Our license is up this year, and we currently have no plans to seek out another vendor. We may consider switching next year.

I rate Veracode seven out of 10. Before you evaluate Veracode or any other solution, you need to sit down with other specialists and decision-makers to develop some criteria. See if Veracode will give you a free trial license, and start testing it out. You can also check Gartner. 

We use it for security validation. As a company, we need to make sure that our code is secure. Not only do we need and want to do this for ourselves, but we also need to do it because of our security obligations to our clients.

It has been helping us capture security vulnerabilities that we would not catch otherwise.

When it comes to our ability to fix flaws, Veracode has given us more visibility into certain flaws that could show up, flaws that can be subtle and not seen in the code. For example, though it was not obvious, there was a case where a developer naively added the authentication into the code, which we're not supposed to do, obviously. It was not seen by our review process, and Veracode caught it and we were able to eliminate it.

It has also helped us to save time. The example, and where I see the most benefits of that, is in the Security Labs, where I have the developers training and constantly improving their security, and remembering their security techniques. That way, they are more proactive and make sure things are correct. They're faster because they're doing it in the first place.

Overall, in terms of our security posture, Veracode has made us more reliable. We're finding those flaws and our clients trust us more because of it.

And when considering whether it has reduced the cost of development, security, and operations for us, the short answer is no. But the long answer is yes. It clearly has added more procedures in place, which we needed to have, and that has definitely increased the cost of development. But in the long-term, how much have we saved from the intangible of a flaw not being exposed?

The Security Labs feature, in particular, is valuable, and I have been using the static code analysis as well.

I do have two pet peeves with the platform.

1. The user interface is slow as a dog; really slow. You go to any modern interface and it's a lot more snappy. Even though I understand a lot of what they're doing and why it might be slow, it is really slow. You click on something and it takes two to three seconds. That doesn't sound long, but it just feels super clunky.
2. There are many times when their product goes to check my code and it dies, and I don't know why. I've contacted support and they're not really helpful with this particular problem. I go to the logs and I look at what I can but I can't tell why the check process has essentially just died in the middle of checking.

Other than those two complaints, I still find it very strong and powerful.

In terms of additional features, the big one I would like to see is that, right now, I have to click through too many things to get to the triage report, which is the main thing I want to see for anything. I have to click through this one screen that doesn't give me any information and I really just want to get to the mitigation review screen quickly. Anything that would save me going through clicks and four or five different screens, because the interface is slow, would be fantastic. I want to get to that mitigation screen because the summary screens are not all that interesting to me. I need to know, "Is this mitigated? Is it not?" and get it checked off and reviewed.

I've been using Veracode for two years.

It has been a very stable product. I don't think the issues that we're having are related to its stability.

The scalability is "medium" because one of the things I've been having to do now is scale out more of the microservices by tier so that I can verify that the code is correct per tier. For me to scale up like that seems to be taking a lot of effort. I might be doing something wrong. Maybe it could be solved in a different way. But the scalability is average. On a scale of one to 10, I would put it at about five.

We do have plans to use more of Veracode. We are expanding into the SCA, where it is scanning the containers, and we've also just contracted with Veracode to do penetration testing.

The one time I had to use their technical support for the bug where a code check dies, I found them a little off-putting. They have never really fully answered the question. I got tired of asking because they didn't understand what I was saying.

During installation, their support was fantastic, a 10 out of 10. But in dealing with this one issue, I would give them a two.

Neutral

We haven't used another solution. Veracode is the first solution of this kind that we have worked with.

The initial deployment was pretty straightforward. We ran into some issues, but honestly, nothing out of the ordinary. I would definitely put it toward the easy side. I found the documentation to be appropriate.

The deployment time was days.

We are using Jenkins as our CI/CD. We're using Amazon Cloud K8 deployments.

We integrated it in two different ways. The original way was with AWS CodePipeline. For that, we used Veracode's Docker service. Once we had it hooked up and could send the file, that was pretty easy to use. The second way is we now actually use Jenkins for our code build. We do the same thing although we're going to change to the Jenkins plugin here shortly. But it was still the same, with the ability to use Docker to send the file to Veracode. Once we wrote it, it was really easy, which is why we did it that way on Jenkins. Through both of them, the implementations worked easily.

From the time of deployment, we saw the benefits within one to two months, which was fairly immediate.

There is maintenance required because, sometimes, the pipelines for our code review essentially stop. I have to go and check that, as I mentioned earlier. The second piece of maintenance is that if there are any flaws or false positives, you have to mitigate those results. We have two people involved in the maintenance.

I did the original Amazon CodePipeline implementation by myself and got it hooked up. As we went to more complex things, with Jenkins, that was done through an integrator DevOps team. On our side, it was just me involved.

I'm sure we have seen ROI, but I do not have a direct metric on it. There are a lot of intangibles in that. For example, what would be the cost of a particular flaw that we caught with Veracode, if it had gone live?

When I looked at the pricing, it was definitely a value. In terms of the service and what it's checking, the cost was very reasonable, particularly because we could have multiple code bases as part of a project.

Make sure that you're comparing apples to apples if you're concerned about the price of Veracode versus what you're reviewing. Some of the stuff that Veracode does and applies is not the same for other services. When I really compared apples to apples, I found Veracode to be rightly priced.

There were no costs in addition to the standard licensing fees, although we just signed up for a couple of other products.

We looked at other solutions but one of the big things that made a huge difference with Veracode had to do with pricing. Because we're moving more and more toward a microservices architecture, and we have about six code bases that make up our entire product, they made it clear that as long as something was a part of our product, it was the same price. That was amazing to us because competitors charged per code base. It was definitely a more economical solution and the one that made more sense, and is more in line, with our product. That really simplified the thought process for us and was a huge competitive advantage.

Veracode is a valuable tool to have in the toolbox to prevent vulnerable code from going into production. Veracode's false positive rate has been very good. It's reasonable. False positives take more time, but I have not noticed that time to be a significant burden. Its policy reporting for ensuring compliance with industry standards and regulations is adequate. 

In terms of having visibility into application status at every phase of deployment, Veracode doesn't provide that. It doesn't control the whole deployment cycle, so there's no way it can report on all of it.

The platform's interfaces look slightly antiquated but don't let that stop you from using it, because it has been a good solution for us.

The biggest lesson I have learned using it is that it's really nice to have these security checks in a single place in your code pipeline. We have multiple security companies at this point, but having the code review and product review security in one place helps us know that that part is "containerized." Having everything dealing with code review in one place is nice.

Every build running CI/CD on our applications, like Bamboo or Azure DevOps, will be scanned through Veracode SCA first. If its report for the build has a vulnerability or redundancy that is outdated or vulnerable, then that is our use case for our application. We have a lot of applications that need to automate these things, then get the report to the application team. Therefore, the security team needs to check these one by one.

We have a lot of people using Veracode, like the security team and DevOp. Also, the application team checks the Veracode result and updates it necessarily. Since it is integrated into our applications, there are a lot of users.

Our deployment model is on-prem. We deploy it as a JAR file inside our Cloud CMS.

We are using it to fix flaws in the code. Sometimes, we have reports that need to be checked. If it is a false positive, then we need to submit the false positive. However, if it is positive, then we need to fix it and perform a new scan to make sure the vulnerability has been fixed on the latest report.

After scanning, we receive report slides from Veracode. Their reports can help us to see the CVEs that we haven't even heard of and best practices that we can do, e.g., using logging properly, which is helpful. It helps us 50% of the time.

It has increased our security productivity by approximately 30%. It has reduced our development productivity by a bit less, since it sometimes breaks a lot of modules.

Veracode SCA helps us know about vulnerabilities before they go into our environment. This is one of its best benefits.

The most valuable feature is the security and vulnerability part of the solution. It shows medium to high vulnerabilities so we can find them, then upgrade our model before it is too late. It is useful because it automates security. Also, it makes things more efficient. So, there is no need for the security team to scan every time. The application team can update it whenever possible in development. Because we are using the Azure methodology, this helps us make sure that the application team can do it using the proper Azure method. For example, when we are using scrum, the application team can improve this Veracode scan on this scrum methodology. Therefore, if they were going to create a pull request, it would be detected. It would be scanned first before it goes to production or another environment, then they can fix it so we can do development more rapidly.

Our fix rate has increased by 15%. We know that we can update something now or put it in our roadmap to update later on in our application.

The mitigation recommendations are sometimes helpful. Sometimes, they are outdated. Sometimes, there are a lot of false positives inside Veracode. That is something that I already suggested to the Veracode team.

It could have better integration with our pipeline. If we could have better integration with our application pipeline, e.g., Jira, Bamboo, or Azure DevOps, then that will be very helpful. Right now, it is quite hard to integrate the solution into our existing pipeline.

If it has better integration with our DevOps pipeline, then we would use it more. However, at the moment, if the solution can be used for a new project, then we can integrate it. However, if that takes too long, we will integrate other things that are faster.

We have been using the solution for two years and a few months.

The biggest problem is with the false positives. However, it is quite stable for scanning compared to some other applications. That is why we are still using it.

At the moment, it is hard to implement on our pipeline. Therefore, we need better scalability, as it is quite hard to scale it to bigger projects because then the scanning will take a lot more time.

Their technical support is helpful. If we send a message to them, then they respond within the SLA. I would rate the customer service as eight out of 10.

Positive

While Veracode SCA may take some time to scan, it helps to reduce the number of scans that we need to do. Before, we needed to scan manually multiple times. Whereas, with SCA, we can just check one by one, then send it as a batch and scan it again. We used to scan 10 times or so. With this automated system, we now scan on average five or six times.

I know how hard it was for our DevOps to set it up.

The deployment process is different for each application. There are a lot of different things that we need to set for this solution. If we have a standardized system, not only using JAR but also other things, then that would be very helpful and make it easier for us to integrate. Currently, there is a lot of preparation that goes into setting up Veracode for integration with our existing applications.

Depending on the pipeline, it takes about five working days to deploy.

On our team, the solution has been very helpful. For more than two years, it has helped us get a lot of things on our application. It is easier for us to do fixes instead of just doing a pen test every time, then getting everyone to check it. 

It has good, fair licensing. If the price could depend on the scope of its scanning or the languages supported, then that would be better.

It is quite important to have fixed or static costs because it is easier for our financing.

Compared to other solutions, Veracode is more expensive but offers a lot for free.

We also evaluated SonarQube and Snyk in PoCs. We thought SonarQube and Veracode were good. 

We went with Veracode because its processes are very detailed and it supports a lot of languages. Though, compared to other solutions, it is difficult to integrate into the pipeline and can improve on its false positives.

Try all of the features. Make sure that you use the Veracode SCA with different languages since we can see differences between scanning Java, Node.js, or PHP.

For our site, we only use SAST and DAST for penetration testing. Also, the penetration testing for SCA is handled by another vendor since we have a different vendor for this usage. 

It helps indirectly with Webex.

I would rate the solution as eight out of 10.

Veracode is part of our overall security program. We use it to scan our daily build pipelines and all our fielded releases. The primary features we use are static application security testing and software composition analysis.

We analyze third-party libraries for known vulnerabilities and taking action. Veracode is also part of our release procedure. We put the artifacts from the record and attach them to the release documentation to provide our customers with those documents if needed. 

Veracode has improved our product because we're gradually finding fewer and fewer issues through external security scanners or penetration testers. It plays an important role in the continuous integration quality assurance chain. We started using Veracode when it was supporting a 2017 standard. When the security standard changed to 2021, we received new issues. 

We adjusted the policy and no longer have any medium-priority issues in our scan results. It has increased the quality of our security while enabling us to pass the two historical standards and maintain compliance. We have analyzed and cleaned up several thousand issues since we started using Veracode. 

We use our internal policies for the WAF Security Standard, but it isn't an industry-wide policy. We do not use PCI DSS, etc., but it shouldn't be a problem to comply with that stuff. For example, PCI DSS isn't applicable to our case because we aren't managing any credit card data, working with medical devices, or doing anything involving the military. Some standards aren't applicable. 

Veracode offers visibility into vulnerabilities at every step of the pipeline. Every night, we build source code and mark everything that was merged during the day. We check those reports once weekly and correct some issues that were detected. For software composition analysis, it's even easier because every time the record updates, Veracode sends emails to the security team. It also makes me aware of some newer capabilities in software composition and analysis. 

It showed us a lot of flaws in various parts of our product and helped us visualize a lot of issues that we previously didn't know about. We had static code analysis, which is a bit different than Veracode. We were using a static code analyzer from Visual Studio, and it was mostly about development best practices. When we started using Veracode, we realized there were more problems that static analysis alone wasn't catching. It's an excellent tool for showing the vulnerabilities in your software. 

It helps us save time and effort for a portion of our production. For example, if  you're scheduling to release product improvements in the spring, you don't want to fix anything after it goes into production. From that perspective, fixing things before the code is released saves us time. It also protects our reputation because fewer issues enter production. 

It sometimes saves our customers some time because they don't need to perform their own secret analysis because we've already analyzed the product and can provide them with the results much faster. 

It's hard to say that any single feature is the most essential. There are many errors and vulnerabilities in software today in the standard libraries for different vendors because. We don't need to reinvent the wheel every time because we're using standard libraries, and it's important to know that your security isn't compromised because you use libraries with vulnerabilities. 

We use Veracode as a quality gate. We do not do continuous delivery or continuous deployment. We're releasing about twice a year, so we use it as a quality gate in this situation. We should analyze various types of patch software. From my observations, it has been an excellent tool so far. We also have an external penetration testing effort, and the testers have not found any issues, so that tells us that Veracode has been successful at preventing issues from entering production.

I use the software bill of materials. Our product consists of many systems and components and redundancies that must be processed manually. We are in contact with the Veracode guys, and I think the next release will have this software bill of materials added. It isn't a problem with Veracode. It's a problem with the way we upload and build sources. In the implementation stage, we want the results as fast as possible, and we've done it in a way when we upload. It can be optimized when we upload it to Veracode. 

Sometimes Veracode gives us results about small glitches in the necessary packages. For example, we recently found issues with Veracode's native libraries for .NET 6 that were fixed in the next versions of those libraries. But sometimes you do not know which version of the library particular components are using. 

The downside of that is that one day, the solution found some issues in that library for the necessary package we spent. Another day, it found the same issues with another library. It will clearly state that this is the same stuff you've already analyzed. This creates some additional work, but it isn't significant. However, sometimes you see the same issue for two or three days in a row.

In our project, we use a lot of limited packages that link to another library, and there may be issues in those reference libraries. For example, one library might be referenced by several Google packages. When it shows you a vulnerability in one library, you will not see the issues in all libraries. We've discussed the issue with the Veracode team, and they investigate a way to fix this. Hopefully, it will not be an issue. 

I have used Veracode for several years. I've led our product toward Veracode standard certification.

I rate Veracode support eight out of 10. We had to contact support several times in the early years about a licensing issue we faced. We had some false positives in the licensing report from Veracode, so we raised a ticket with the support team, and they resolved it relatively quickly. We have regular meetings with a dedicated representative from Veracode, but we also get help from our colleagues on staff. At the moment, I'm happy with their support. They provide us with the necessary level of quality.

Positive

We used SonarQ, but it's somewhat different because it's a pure static code analysis tool. Veracode has a stronger focus on web security, and we produce a web-facing product, so that's important to us. SonarQ is strictly a static code analysis tool. 

Veracode's setup was pretty straightforward, but there were a few challenges integrating it with our continuous integration system because there are lots of components. We wanted our source code scanned daily, so we had to change our build process. It's a bit tricky getting it to work with various parts of our solution. Our product is too complex, and there are lots of applications and flavors.

We did it ourselves because we have sufficient expertise. We're still tuning up our build process and reports. They have comprehensive documentation. We had help from Veracode support, who answered our questions about integrating the solution with our software. It was mostly building and tuning a little to build our software in debug mode and deploy it back into our cloud.

We can measure our ROI in the amount of issues we discover and remedy. From a quality control perspective, a problem is more expensive if a customer reports it. If we take price into consideration, we've decreased the net cost of security because we're receiving fewer issues from our customers. You must also consider the reputational cost if the customer needs to implement the fix. 

If we find the issue after the fact, we need to provide our customers with the fix, and that may require some additional processes on the customer side. However, it's hard to calculate how much money it saved us.

We are not using the licensing much because we have a strict internal licensing policy. We mostly avoid GPL licenses and their flavors. Managing the licenses can be tricky. Sometimes you add a library and build some functionality around it, so it may cause some problems to remove it from its source. 

Cost is an issue at every stage because you need to evaluate what you're spending and what you expect from the project. You should use common sense and clearly understand the pros and cons. It's hard to say whether the solution is cheap or expensive because it depends on your company's needs. Some companies need Veracode for compliance requirements, and it doesn't matter how expensive it is. It's costly, but it's the best in the industry. You can get something that does the job but it's like a car. You might buy a clunker for a few hundred dollars or an Infiniti for a hundred thousand. 

We tried another solution before we started using Veracode. I believe it was HCLAppscan.

I rate Veracode eight out of 10. You should evaluate at least two vendors based on the company's needs. A host of issues need to be addressed, and it's a significant task. Veracode shows you many issues, but you must develop processes to address them. It was impressive when we first scanned our sources and found a thousand, but we had to develop compliance policies to deal with them. My advice is to not make the policies too strict. For example, you can start with high-priority issues.