Veracode Reviews

We were looking into compliance. I'm a consultant, and we're looking at it from the perspective of using Veracode to ensure that the organization we were consulting for was meeting its compliance expectations.

The solution has helped to improve the time to identify and remediate vulnerabilities that come from software - mostly through the static code analysis tool - as well as the ability to effectively communicate why the vulnerabilities are important.

The feature I've used the most is the static code analysis. It was incredibly easy to start using. As a new user, there wasn't a lot of lead time to understand the software work. It was also very easy to communicate the vulnerabilities that Veracode found to the engineering teams that needed to remediate the issues.

We have used the software bill of materials. This feature is good for helping us manage your supply chain, security, and licensing. That comes into play a lot when we are working with federal contracts where certain materials or processes are not allowed within contracts with the federal government. We would use that to ensure that the software itself is compliant. It is easy to create these reports using this feature.

The product’s policy reporting for ensuring compliance with industry standards and regulations is great. It took its own compliance quite seriously, which is something I always look for when dealing with the vendor. There are certain vendors out there that aren't as serious about their own security. I was comfortable with what the product was doing.

Veracode provides visibility into application status at every phase of development throughout your software development life cycle. It definitely improved the efficiency of it. One of the key things Veracode can do is it can rank the vulnerability defined based on the severity. That allowed us to hone in on what was the highest vulnerability and then work our way down. Therefore, it definitely improves the efficiency of those operations.

Veracode's false positive rate, as far as I remember from my experience, wasn't that bad. Usually, what it will do is it will identify a vulnerability, and then it will explain why the vulnerability is important, and then through those explanations, the engineers and I were able to see if something is an issue or if it is a false positive. When it comes to eliminating false positives, you're never going to have 100%. While it did introduce a little frustration, what did remediate that was the explanations that the software provided.

The false positive rate affected the time we spent on tuning these policies somewhat, however, it wasn't too bad. It wasn't anything to complain about.

For the clients I work with, it has a significant impact on improving the ability to identify and then fix flaws. The tool itself does offer strategies to remediate the efforts if, for whatever reason, the engineering team doesn't understand how best to approach them. Usually, they do, however, it is nice that they offer that service.

Veracode helped our developers save time. From my experience, what would normally take two days we're able to get done in an afternoon. That allows our team to work on more efficient work and more impactful work.

The product has had a positive experience on the overall security posture of our organization. It has definitely improved it. Hands down, it is easy to say that the solution has had a positive impact on the security posture of the organizations I consulted for.

Veracode reduces the cost of dev backups. That said, it's hard to put a number on it. It reduces the dev set time and the work they do can then be allocated effectively to other items. 

It would be ideal if it was able to demonstrate higher levels of cybersecurity certifications like becoming FedRAMP compliant or working in those areas. That way we could use it on higher level contracts. That would be a good business opportunity for the solution.

I've used the solution for two years. 

I've never run into any stability issues. I haven't heard of anyone else running into any either. 

The solution is highly scalable. We did run quite large programs through Veracode, and we also ran quite small programs through it too, and we didn't encounter any issues in either case.

I've never needed to contact technical support. 

I cannot recall working with other solutions. I do have experience with a more traditional way of looking at code and identifying errors. That's where this product came in with the ability to just automatically catch those errors.

I was not involved in the deployment of the solution. It doesn't require any more than ordinary maintenance. That's not a big concern. 

I have witnessed an ROI while using the solution. It positively impacts our team's ability to get their job done, which reduces strain on employees and therefore reduces employee turnover, which, given the severity of the skill set that we look for, is incredibly impactful for us.

It does pay for itself given the pricing structure. Of course, the pricing structure changes based on the sales deal, et cetera. It definitely had a positive impact on the organizations we used it with. Financially, it does make a solid business case for itself.

I'd rate the solution ten out of ten. 

Potential new users should ensure that they take into account the amount of time their teams are spending on dev setups and consider what other work those people could be doing that might be more meaningful - rather than physically looking through code. Veracode has the ability to improve a team's operations as well as an employee's efficiency with doing complex work. Companies definitely need to consider how efficient their team is and consider what this tool could do to improve that.

I have manually worked in CI/CD pipelines without Veracode. We could get automatic reports after integrating Veracode plugins into the build tool. The pipeline has become much more automatic by integrating the solution.

The best feature of Veracode is that we can do static and dynamic scans. Veracode performs software composition analysis, and we can use the solution to download different reports like the summarized report. Veracode’s interface is good.

Veracode should include the feature to run multiple scales at a time.

I have been using Veracode for one year.

Veracode is a stable solution, except on one occasion when I faced some issues. I rate Veracode a nine out of ten for stability.

Veracode has good scalability. In our organization, Veracode is used only by our team, which consists of seven members.

We have used the JFrog XRAY tool for SCA (software composition analysis).

Veracode’s initial setup was easy and straightforward.

Implementing Veracode doesn't take much time. It takes only a few hours to implement the solution. Veracode was deployed by a team consisting of two to three members.

I am into DevOps, and we have integrated Veracode into our DevOps pipeline.

I would recommend Veracode to other users.

Overall, I rate Veracode a nine out of ten.

The main purpose of Veracode is to deliver secure code on time. We use it to test our application security, at the implementation stage to make sure that code is secure. We do static and dynamic testing, as well as penetration testing with Veracode. We also use it for security threat detection for our enterprise applications.

It empowers our developers to fix security issues and achieve desired outcomes. It's a very secure cloud platform and helps us monitor our web sources for any attack. We have been able to completely secure our enterprise software, which is on the cloud, with the solution. Overall, we have been able to reduce the risk factors for our enterprise software. Also, determining security threats to our application happens faster now with the help of Veracode. The benchmarking capabilities against industry standards and the compliance help us a lot.

Veracode also provides a lot of programming language support and different frameworks are available, which enables us to get things into production much more efficiently. Our SDLC has become much smoother and more secure with Veracode.

And it has definitely helped our developers save time. It helps them with future references because, if they write code one time with errors that Veracode finds, the next time they use that as a reference and don't repeat the mistake. In that way, in the continuous development process, a lot of time is saved. It saves us about 20 percent of our time.

We are able to create more applications now, and code more, while worrying less about errors while coding. Worrying about fixing the flaws in an application is completely taken care of by Veracode, so we are able to focus more on creating new code and developing new applications. Veracode has been a great platform for that particular purpose.

We have also found more security vulnerabilities in our code, which has helped us produce much better applications for our end-users. Most of the time, vulnerabilities go unnoticed by humans. Veracode helps us pinpoint the exact vulnerability, what it affects, and it helps us correct it for future reference.

One cool feature is the static code scan, which is very good. 

Also, the dashboards and the threat insights it provides are very good. The dashboards are intuitive and pretty straightforward, but also pretty detailed.

We get good, actionable insights at each stage, including static, dynamic, and penetration analysis, and it reduces overhead for us. 

It also has compliance monitoring and reporting capabilities that I like very much. The compliance reporting is a great feature because there are a lot of different frameworks and channels, and each unique channel has its individual compliance monitoring and policies. Veracode helps us prepare for all the different challenges.

The false positive rate is a gray area. The number of false positives could be reduced a lot. For each good result, we are getting somewhere around 15 to 20 false positives. We expect false positives, but if that ratio could be reduced to a single-digit number for the false positives, that would be much more helpful.

We are spending some manual effort and time on this because it happens sometimes, when we first scan code, that it says there is no threat. And the second time we scan it, it says there is a threat. Those kinds of positive responses make us do double work. If that was better, it would greatly improve our overall efficiency.

Apart from the false positives, I would like to see more plugins and integrations to make Veracode much more user-friendly for developers and users. Any IDE plugins would make our work faster.

My experience with Veracode has been over 12 to 14 months.

Overall, because it is a cloud platform, stability is not a concern. It's quite stable. To be strict about things, the UI can be very slow. There is downtime now then, and I understand why it happens, but I would appreciate it if that happened less.

We are not going to scale it right now. We have about 18 developers and five or six administrators using the solution, and I don't expect that will change for now. But you can purchase more licenses. It's definitely scalable in that sense.

We have it in a single location only and it is used across three or four development teams in our office.

Veracode support is very knowledgeable and very prompt. The Veracode community is also available, which is very good.

Positive

It's only deployed on the cloud. Although I was not a part of the initial deployment, I know for a fact that the deployment can take a long time.

As for maintenance, there are software updates, but apart from downloading the software updates, there isn't any other maintenance required on our side. It's a cloud platform so it self-maintains.

Our ROI is that we have seen a tremendous increase in the overall security of our enterprise software. It has helped us engage better with our clients and our retention rate has increased about 7 percent. We can't pinpoint that directly to using Veracode, but since we started using it we have seen this retention increase.

The pricing is fair. We are planning to renew for the next year.

It's definitely value for money. I would tell someone who is looking at Veracode not to be concerned about the pricing because the value that they will get, for this price, in the market, is very good when it comes to their long-term plans.

If a proof of concept is possible, I would ask you to try it out first to get a sense of what Veracode is before investing. But investing in this tool is very much needed. With security threats, for long-term purposes, the code-level threat detection and code-level error detection are very much needed by any organization.

We use Veracode for static application security testing, dynamic testing, and software composition analysis. My company's engineering team has about 50 people who use Veracode across multiple product lines. 

The main benefit of Veracode is that we can deliver better, more secure software. Our customers also trust Veracode. When we share the Veracode report, they see that we have gone through all the due diligence.

Veracode aligns with SOC, ISO, and other types of certifications. It helps with compliance that Veracode has all these reporting formats. The solution provides visibility at every stage of development. We have automated almost everything through integration with Jenkins. As soon as the developer commits, it triggers the static scan for the main branches. We don't need to trigger the scan manually or do a follow-up to see if it's done scanning. 

The solution saves time by reporting issues and recommendations that help developers fix the reported vulnerabilities faster. I estimate that it improved developer productivity by about 10 percent.

Veracode has good support for microservices, and I also like the sandbox environment. For example, when introducing a new component, we can scan it in a sandbox environment. It will not impact the main environment. When our team fixes it, they. can push it to the production environment when the results are acceptable. 

The solution effectively prevents vulnerabilities from entering production. We've drastically reduced our third-party VAPT-reported issues. Before Veracode, the third-party VAPT analysis reported hundreds of issues per application. Now it's down to about 20, and Veracode can address most of them.

The interface is one thing I find a little challenging. Veracode's interface feels a little outdated compared to other solutions, and it could be modernized. I'm mostly happy with the features, but Veracode could add Docker image scanning. 

I have used Veracode for about six years.

Veracode seems stable. I don't recall facing any issues. 

Veracode is scalable.

I rate Veracode support eight out of 10. They are quite good at responding to issues. 

Positive

We tried AppScan and Snyk.  From an integration perspective, Snyk is a little better integrated with our pipelines and ticketing system. 

I can't recall the deployment well, but I think it was straightforward. Veracode requires no maintenance after deployment. 

I have not calculated the return on investment, but I think it's at least 200 percent. 

We aren't paying the listed price. We get some discounts, but we get a lot of value from it regardless of what we're paying. We look at the overall cost of what we would spend without a tool like Veracode. The longer you delay fixing security vulnerabilities, the more it will cost you during the later stages. By integrating it into the development cycle earlier, it helps to keep total costs lower.

We evaluated multiple scanning solutions before choosing Veracode, and we perform a mandatory comparative analysis annually. Veracode's scanning engine is more innovative and provides a more detailed analysis relative to Snyk and AppScan. It performs much better in terms of the number of issues discovered. 

I rate Veracode 10 out of 10. When implementing Veracode, you need to develop a workflow or a process. It becomes easier if you have that in place. For example, you can create a workflow where you scan inside the sandbox and approve those fixes before moving to production. 

Also, you should have separate people for raising issues, remediation, and approval. That way, you will have some control over which issues are mitigated and for what reason. That process flow has to be set up properly. Another aspect of successful implementation is automation. Your team needs to invest time in automating and embedding scanning in your pipelines. 

My company produces one of the most secure fabrics that you can find. Veracode is integrated into our development cycle through Jira. We do a full static analysis with Veracode and use Burp Suite to review the findings. The most common attack vector we find in Java code is SQL injection. When SQL injection shows up, you send a screenshot and a report to your executive team. They see the screenshot and say, "Oh, they're seeking injection here." 

This has now become a top priority. We're going to pause all these redundant features that we're making here and ensure our code is secure with no SQL injection vulnerabilities. Veracode finds everything, and the security engineers do the penetration test using the results. You provide a report showing where the issue is, and developers can fix it. We also use Veracode to train security engineers and teach them how to file reports.

My case is different from other individuals. I worked for a startup, so we had to find a way to capitalize on all the resources in Veracode. Larger organizations are not leveraging the built-in dashboard. That aspect is what people want to know about. They want to see how their money is being spent on security. The biggest problem with security is getting funding. None of these executives believe anything these users are saying until they can see the results.

They want that dashboard report. In less than three weeks, a junior security engineer can learn to create a dashboard easily that will allow the organization to stay on top of the most important things. They need to show the stakeholders that we're doing something here. They'll get the certification and see the dashboards. You now have something that's actually worth $2,000. With these other ones, who knows what you'll get. 

It allows us to provide a certificate showing stakeholders and potential customers the proof that we take security seriously. Everyone says that they're on top of their security and have all these things in place. In a sales call, we can immediately respond to any questions about our security posture by pointing them to a link showing that your company was among the few companies that completed the full certification process. Veracode has four levels of certification, and we are at level three, I believe. 

To my knowledge, Veracode is the only real devSecOps pipeline that captures every component of the software delivery cycle, from sandbox and staging to development and production. You need to go through those four phases and ensure the code is secure by the time it hits production. Veracode handles all those phases seamlessly and can be automated with Jenkins.

Veracode is highly efficient at fixing flaws. A single person can go through and do a penetration test after collecting the data from Veracode. Instead of telling developers where the issue is, they can show them in the code editor for the static analysis. They can assign tasks to the team using Jira, so developers almost never need to do that work. They actually almost never go back and fix any of these vulnerabilities. That's why I was my company's most hated and most loved man. I forced them to do it.

I like Veracode's API. You can put it into a simple bash script and run your own security testing from your MacBook in less than 15 minutes. Veracode's application security consulting team is very helpful. They're responsive and follow up quickly. 

Veracode would benefit greatly from more training resources. The videos are great, but I would like more hands-on training writing a script, validating a script with a unit test in a different language, etc. That's something that would be very valuable. 

We have used Veracode for more than four years.

Veracode is highly stable. It very rarely crashes. 

I rate Veracode support 10 out of 10. Their customer support is incredible. If I have any issues, I can immediately connect with their support team and have a real working solution within one week.

Positive

Deploying Veracode is easy. I had the best customer success manager at Veracode helping me. After deployment, Veracode requires little maintenance. 

Veracode is inexpensive and cost-effective. The licensing model is unambiguous. You know what you are getting. They also give you several seats for training. That's why it would benefit them to improve the training because more people could take advantage of it and use certifications. Some certifications for other products don't have much real value, but Veracode is a product many companies use, so it could help people get jobs.

If you're concerned about the cost, you should meet with a representative to talk about pricing. Veracode is flexible, and they're willing to let companies try the platform or test different features. They will work with companies to get to the point where they'll use it.

I used JFrog X-ray with homegrown scripts for testing the code. It was terrible. We chose Veracode because it is more scalable. We could run scans on any code, and it was reliable. Also, their documentation was up to date. With other software providers, you would find an issue in the documentation, and they would backtrack, saying, "Oh, no one's using that." 

Veracode immediately responds to the community. You have people in the community supporting each other and suggesting new features. Software providers say they're open to suggestions. Veracode will quickly get something from the community and immediately put it into development. JFrog has the same stuff as they did four years ago. They haven't changed anything. 

I rate Veracode 10 out of 10. Veracode is constantly changing and improving. 

We use Veracode for SAST and SCA. We are moving towards dynamic analysis as well. We use it now to scan our artifacts and reports, and very soon we are going to use the Veracode plugin for our IDE to have immediate results for security analysis purposes.

Before integrating Veracode, we were getting so many security vulnerabilities on higher branches. We integrated it to fix that. It prevents vulnerable code from going into production. We have fewer vulnerabilities and bugs.

We are getting the security vulnerability results on a day-to-day basis. Our pipeline is running every hour, and we are getting early feedback, giving us a shift-left approach. On a daily basis, we are able to rectify issues rather than find them in production or pre-production.

It provides visibility into application status at every phase of development. We have our initial feature branch, or low-level branch, and then we commit. The pipeline is running, so we will know about things immediately. This is quite valuable for us.

The SCA, agent-based analysis, is valuable. SAST and DAST take time, while this is quite fast. It gives the results very quickly. We have implemented it into our CI/CD pipeline.

Another aspect that is quite good is the policy reporting for ensuring compliance with industry standards and regulations. Initially, we were using freeware tools, but we are quite impressed with how Veracode gives the most detailed and latest vulnerability and security information.

I have been using Veracode for almost a year.

It's a stable solution. There are no problems. The stability is a seven or eight out of 10.

We connected with Veracode's support a couple of times, and we got a different answer each time.

Neutral

We used to use Snyk and other tools. The switch to Veracode was an enterprise-level discussion, and I was not involved.

It took some time to see the benefits, around six to eight months.

Although Veracode doesn't scan source code, only binary code, I'm not concerned because we can scan the source code with an SCR tool.

Veracode hasn't yet helped our developers save time. Their development time has increased because, initially, we were only taking the security and vulnerability issues on the higher branches. Now it is on lower branches as well, so the development time has increased. In the local branches, if a report indicates something has not passed, we are not allowing them to merge their code into higher branches.

We have it deployed in a multi-cloud and hybrid environment. We are using AWS, Azure, and VMware vSphere.

Overall, I would recommend Veracode. It is quite helpful.

We used Veracode for code scanning and source composition analysis.

Veracode can block vulnerable code from going into production.

The SBOM is a good option for companies that are asked about their SBOM.

The SBOM helps manage our risk.

Generating SBOM reports is not difficult, but setting up the necessary infrastructure for analysis takes time.

The policy reporting is incredibly robust.

Veracode provides visibility into application status in every phase of development.

The source composition analysis had very good reporting.

Veracode's long scan time for vulnerable code can hinder productivity. There is room for improvement in this area.

Veracode produced a lot of false positives.

Veracode's ability to fix flaws is less sophisticated than that of its competitors. For example, Veracode's static analysis scanning workflow for flaws is not as highly developed as Checkmarx's or Snyk's. Veracode would often provide incorrect sources and fail to identify the source of malicious user input coming to the team.

The process of bundling binaries or code for scanning could be improved.

I trialed Veracode for two weeks. 

In our short trial period, we did experience some stability issues.

Veracode scales sufficiently.

I worked with Veracode's technical consultation staff and found the agent to be incredibly knowledgeable and sophisticated in their use of Veracode, as well as in vulnerable load patterns.

Positive

The deployment was complex.

Ten people were involved in the deployment.

We used the experience of engineers who had used Veracode in the past, as well as feedback from Veracode's engineers.

Veracode's pricing is competitive.

I believe Veracode would be willing to negotiate decent terms for organizations that are concerned about the pricing.

We also evaluated Checkmarx and Snyk, respectively. This puts them at a slight disadvantage in terms of identifying execution paths and their ability to comprehensively show how vulnerable code is executed in our solution.

I would rate Veracode six out of ten.

Once Veracode is fully configured, the maintenance should be relatively minimal.

Veracode's best advantages are detailed reporting for industries such as government work, or other industries that may require exceptionally detailed reports or secure security verifications. However, I would suggest that people look out for the accuracy of results and the usefulness of findings on a large scale. Additionally, Veracode has a difficult-to-navigate user interface.

We use Veracode to test for errors in the code in the applications we are building within our service pipelines.

Veracode assists in preventing vulnerable code from entering production. It is essential to ensure that our applications entering production are free from errors.

It has assisted our organization by providing a report that we can share with our developers, identifying vulnerabilities in their code. This enables them to address the issues before the code is put into production.

Ever since the implementation of Veracode, I have noticed that the processes for rectifying the issues in our pipelines have become much easier.

Veracode helps our developers save time. The solution has simplified the coding process for our developers.

I would rate Veracode's impact on our organization's overall security posture as nine out of ten. The solution has been beneficial to us daily, and we haven't encountered any issues with their solution so far.

The capability to identify vulnerable code is the most valuable feature of Veracode.

There are times when certain modules cannot be scanned automatically, requiring us to manually select these modules and initiate the scanning process on our side.

The vulnerability report has potential for improvement and should encompass more detailed information about the vulnerability, rather than solely identifying it.

I have been using Veracode for three years.

Veracode is stable.

I believe Veracode is scalable, but I am not certain.

I rate Veracode a seven out of ten.

I recommend Veracode. The solution only requires a one-time configuration into the pipeline and the testing is done automatically. 

Integrating Veracode with our pipelines is an easy process. We simply use VML files and the integration is done automatically for us.

We currently have approximately 55 microservices, composed of various teams. Altogether, there are about 170 people utilizing Veracode.

I recommend becoming as familiar as possible with Veracode before using it. Even watch online tutorials to ensure that the deployment goes as smoothly as possible.