Veracode Reviews

We use Veracode as part of our development pipelines. It gives us security feedback when we run our applications. Our applications are completely containerized in Docker images with a .NET 4.6 architecture. These are web-based applications, so we want to know that all the HTTP requests are secured. The tool provides us with feedback to ensure that our application security is robust. 

We are primarily running Veracode to check for vulnerabilities after the build. There is no pre-build process. We are running a post-build static analysis and dynamic analysis. We run it at the end of the development process. 

Veracode's ability to detect security vulnerabilities is excellent. We can feel confident that none of the vulnerabilities will make it into production. It doesn't take long to realize the benefits from it. The interface is intuitive. We could start to see value from Veracode within a couple of weeks. 

We don't have many false positives. We're using the tool's default rules and haven't done much customization. We can feel confident in the solution's results. 
We can identify most of the issues before the production stage, and it also enables us to develop better practices in the development process. We also have a security testing team using Veracode to discover vulnerabilities. The discovery of issues after static analysis is super-efficient. It reduces our time spent on these tasks by about 30 percent. 

Veracode has had a positive impact on our overall security posture. It's comprehensive, which is critical because our applications are mostly integrated, so we don't want to take any chances. 

One thing we like is the secret detection feature. It has helped us to discover keys stored in our settings file as a TXT document. We can address that vulnerability by using encryption. We can even scan Docker images for vulnerabilities. Static analysis is another good feature of Veracode because we can run a security scan during development to identify the vulnerabilities.

Veracode helps us prevent vulnerabilities from entering production. We can put it into the pipeline and set an acceptable limit for vulnerabilities. If the number of vulnerabilities is under the threshold, we can deploy automatically. 

Veracode's container scanning could be improved. We containerize all the platforms we use inside a Docker image. For example, we create a Microsoft Docker image that we build our application on top of. I would like Veracode to implement IT scans before we commit the code.

I have only used Veracode for a year.

Veracode is stable. 

Veracode is scalable.

I rate Veracode support eight out of 10. 

We evaluated another solution briefly but we decided to keep Veracode. Veracode has some issues with container scanning, and we have some container-based applications. We considered bringing in another tool for container scanning, but it was too expensive and Veracode was able to mitigate the issues well enough. 

Veracode is affordable. It offers a good value for the security benefits it offers, especially if you're working with applications that involve payment processing. You cannot afford to take chances there. 

I rate Veracode nine out of 10. I recommend Veracode, depending on the type of application you are scanning. It's a leading solution in this domain. Veracode is the first name that comes to mind when people are talking about security scanning. 

We were looking into compliance. I'm a consultant, and we're looking at it from the perspective of using Veracode to ensure that the organization we were consulting for was meeting its compliance expectations.

The solution has helped to improve the time to identify and remediate vulnerabilities that come from software - mostly through the static code analysis tool - as well as the ability to effectively communicate why the vulnerabilities are important.

The feature I've used the most is the static code analysis. It was incredibly easy to start using. As a new user, there wasn't a lot of lead time to understand the software work. It was also very easy to communicate the vulnerabilities that Veracode found to the engineering teams that needed to remediate the issues.

We have used the software bill of materials. This feature is good for helping us manage your supply chain, security, and licensing. That comes into play a lot when we are working with federal contracts where certain materials or processes are not allowed within contracts with the federal government. We would use that to ensure that the software itself is compliant. It is easy to create these reports using this feature.

The product’s policy reporting for ensuring compliance with industry standards and regulations is great. It took its own compliance quite seriously, which is something I always look for when dealing with the vendor. There are certain vendors out there that aren't as serious about their own security. I was comfortable with what the product was doing.

Veracode provides visibility into application status at every phase of development throughout your software development life cycle. It definitely improved the efficiency of it. One of the key things Veracode can do is it can rank the vulnerability defined based on the severity. That allowed us to hone in on what was the highest vulnerability and then work our way down. Therefore, it definitely improves the efficiency of those operations.

Veracode's false positive rate, as far as I remember from my experience, wasn't that bad. Usually, what it will do is it will identify a vulnerability, and then it will explain why the vulnerability is important, and then through those explanations, the engineers and I were able to see if something is an issue or if it is a false positive. When it comes to eliminating false positives, you're never going to have 100%. While it did introduce a little frustration, what did remediate that was the explanations that the software provided.

The false positive rate affected the time we spent on tuning these policies somewhat, however, it wasn't too bad. It wasn't anything to complain about.

For the clients I work with, it has a significant impact on improving the ability to identify and then fix flaws. The tool itself does offer strategies to remediate the efforts if, for whatever reason, the engineering team doesn't understand how best to approach them. Usually, they do, however, it is nice that they offer that service.

Veracode helped our developers save time. From my experience, what would normally take two days we're able to get done in an afternoon. That allows our team to work on more efficient work and more impactful work.

The product has had a positive experience on the overall security posture of our organization. It has definitely improved it. Hands down, it is easy to say that the solution has had a positive impact on the security posture of the organizations I consulted for.

Veracode reduces the cost of dev backups. That said, it's hard to put a number on it. It reduces the dev set time and the work they do can then be allocated effectively to other items. 

It would be ideal if it was able to demonstrate higher levels of cybersecurity certifications like becoming FedRAMP compliant or working in those areas. That way we could use it on higher level contracts. That would be a good business opportunity for the solution.

I've used the solution for two years. 

I've never run into any stability issues. I haven't heard of anyone else running into any either. 

The solution is highly scalable. We did run quite large programs through Veracode, and we also ran quite small programs through it too, and we didn't encounter any issues in either case.

I've never needed to contact technical support. 

I cannot recall working with other solutions. I do have experience with a more traditional way of looking at code and identifying errors. That's where this product came in with the ability to just automatically catch those errors.

I was not involved in the deployment of the solution. It doesn't require any more than ordinary maintenance. That's not a big concern. 

I have witnessed an ROI while using the solution. It positively impacts our team's ability to get their job done, which reduces strain on employees and therefore reduces employee turnover, which, given the severity of the skill set that we look for, is incredibly impactful for us.

It does pay for itself given the pricing structure. Of course, the pricing structure changes based on the sales deal, et cetera. It definitely had a positive impact on the organizations we used it with. Financially, it does make a solid business case for itself.

I'd rate the solution ten out of ten. 

Potential new users should ensure that they take into account the amount of time their teams are spending on dev setups and consider what other work those people could be doing that might be more meaningful - rather than physically looking through code. Veracode has the ability to improve a team's operations as well as an employee's efficiency with doing complex work. Companies definitely need to consider how efficient their team is and consider what this tool could do to improve that.

We used Veracode for code scanning and source composition analysis.

Veracode can block vulnerable code from going into production.

The SBOM is a good option for companies that are asked about their SBOM.

The SBOM helps manage our risk.

Generating SBOM reports is not difficult, but setting up the necessary infrastructure for analysis takes time.

The policy reporting is incredibly robust.

Veracode provides visibility into application status in every phase of development.

The source composition analysis had very good reporting.

Veracode's long scan time for vulnerable code can hinder productivity. There is room for improvement in this area.

Veracode produced a lot of false positives.

Veracode's ability to fix flaws is less sophisticated than that of its competitors. For example, Veracode's static analysis scanning workflow for flaws is not as highly developed as Checkmarx's or Snyk's. Veracode would often provide incorrect sources and fail to identify the source of malicious user input coming to the team.

The process of bundling binaries or code for scanning could be improved.

I trialed Veracode for two weeks. 

In our short trial period, we did experience some stability issues.

Veracode scales sufficiently.

I worked with Veracode's technical consultation staff and found the agent to be incredibly knowledgeable and sophisticated in their use of Veracode, as well as in vulnerable load patterns.

Positive

The deployment was complex.

Ten people were involved in the deployment.

We used the experience of engineers who had used Veracode in the past, as well as feedback from Veracode's engineers.

Veracode's pricing is competitive.

I believe Veracode would be willing to negotiate decent terms for organizations that are concerned about the pricing.

We also evaluated Checkmarx and Snyk, respectively. This puts them at a slight disadvantage in terms of identifying execution paths and their ability to comprehensively show how vulnerable code is executed in our solution.

I would rate Veracode six out of ten.

Once Veracode is fully configured, the maintenance should be relatively minimal.

Veracode's best advantages are detailed reporting for industries such as government work, or other industries that may require exceptionally detailed reports or secure security verifications. However, I would suggest that people look out for the accuracy of results and the usefulness of findings on a large scale. Additionally, Veracode has a difficult-to-navigate user interface.

We use Veracode for static application security testing (SAST). We also use it for scan or software composition analysis (SCA) testing purposes. We mainly use it to triage the flaws or vulnerabilities that are found in our coding standards so that we can enforce secure coding practices at the developers' end. Because we are a part of the security team, we provide mitigation for the development team on all the SAST vulnerabilities that we come across.

We use it for static application security testing. It helps us with proactivity. Before the product or the application is deployed on the production environment, we have a DevSecOps pipeline that kicks in, and we are able to triage the flaws or vulnerabilities that Veracode shows based on our policies using the Open Web Application Security Project (OWASP). Veracode definitely helps us to go through the vulnerabilities and fix them before they go into production so that bad actors cannot exploit them.

In terms of software composition analysis or SCA, we have come across several libraries and packages that were vulnerable and detected by Veracode. We work on getting the latest updates or packages so that we do not fall back on the security front.

When it comes to visibility, I am not sure whether it is through Veracode, but we have our pipelines built on Azure. We do get to see whenever a scan is kicked off and whether the Veracode check has passed. There is no direct visibility in Veracode apart from the dashboard, which does have information about what type of scan has been performed and whether it is a policy sandbox or just a testing sandbox.

Veracode has been fairly decent for fixing flaws. We have mainly been using it for SAST. For DAST, we have our AppScan from HCL, but Veracode is fairly decent for fixing flaws or trying to be proactive and ensuring all of our applications have been securely developed.

In terms of policies, it works fine. Our policies are mostly predefined. They were defined by our previous team. We look into the policies based on the scan dates.

From a developer's perspective, Veracode's greenlight feature on the IDE is helpful. It helps the developer to be more proactive in secure coding standards. Apart from that, static analysis scanning is definitely one of the top features of Veracode.

Recently, I came across a new workflow, which I had seen in Checkmarx, that shows how a vulnerability flows from the start point to the end point of a function. 

There can be a lot of improvement. It does not have a reporting structure for an OS-based vulnerability report, whereas its peers such as Fortify and Checkmarx have this ability. Checkmarx also provides a better visibility of the code flow.

Veracode is 75% or 80% accurate. At times, we do come across a lot of false-positive cases, but this is an issue with all security tools. Unfortunately, we do not see an option to set the policies because policies are predefined. Overall, when comparing it with its competitors, Checkmarx is better than Veracode in false-positive rate. Veracode's false-positive rate is decent. It is not too good and not too bad, but there is a lot of room for improvement. I personally found Checkmarx to be more accurate than Veracode. This false-positive rate has an effect on the security team because, for a false positive, a developer raises a ticket for us, and our job gets a little bit more hectic because we have more vulnerabilities to create rather than focusing on the positive ones. It is daunting when too many false positives are being reported by the development team for triaging purposes. However, in one of the calls related to their roadmap, I saw a feature where you can go through the code, and it provides you with some mitigation. 

I used Veracode at the beginning of my career from 2017 to 2019. I then switched my job, and my next company used Checkmarx, which is a competitor of Veracode. I changed my job again in 2021 and have been using Veracode in this company. Overall, I have close to three years of experience.

It is pretty stable. I would rate it a nine out of ten in terms of stability.

We are using the SaaS offering, so it is pretty scalable. I would rate it a nine out of ten in terms of scalability. 

Whenever there is a flaw that we cannot understand, we have something called Veracode consultation. We raise a ticket and follow up on the ticket. That is it. They are well-versed. The only challenge I face is that I am based out of Ireland. The time zone is a pretty big issue for us most of the time. Whenever we have a code support call, the majority of the time, it happens late at night. That is one of the reasons why we tend to skip the consultation calls. I would rate their support a nine out of ten.

Positive

I have worked with Checkmarx in another job. I prefer Checkmarx over Veracode. Checkmarx provides a better visibility of the code flow. Veracode also has code flow, but it is in IDE, so you need to manually jump through the code and check the flow. It is easier for someone with experience, but someone new to the security domain will find it tough, especially when there is no clear picture of the workflow to know what is going on. This is a feature that I would like in Veracode.

It is a SaaS or cloud solution. It is definitely not on-prem. We sign in using a single sign-on.

I was not involved in its deployment. There is no maintenance as such. 

To those evaluating Veracode, I would say that unless you get hands-on experience, it is difficult to evaluate. So, I would advise getting hands-on experience with the tool. I would also advise checking out other solutions such as Fortify and Checkmarx.

Overall, I would rate Veracode a seven out of ten.

We use Veracode to test for errors in the code in the applications we are building within our service pipelines.

Veracode assists in preventing vulnerable code from entering production. It is essential to ensure that our applications entering production are free from errors.

It has assisted our organization by providing a report that we can share with our developers, identifying vulnerabilities in their code. This enables them to address the issues before the code is put into production.

Ever since the implementation of Veracode, I have noticed that the processes for rectifying the issues in our pipelines have become much easier.

Veracode helps our developers save time. The solution has simplified the coding process for our developers.

I would rate Veracode's impact on our organization's overall security posture as nine out of ten. The solution has been beneficial to us daily, and we haven't encountered any issues with their solution so far.

The capability to identify vulnerable code is the most valuable feature of Veracode.

There are times when certain modules cannot be scanned automatically, requiring us to manually select these modules and initiate the scanning process on our side.

The vulnerability report has potential for improvement and should encompass more detailed information about the vulnerability, rather than solely identifying it.

I have been using Veracode for three years.

Veracode is stable.

I believe Veracode is scalable, but I am not certain.

I rate Veracode a seven out of ten.

I recommend Veracode. The solution only requires a one-time configuration into the pipeline and the testing is done automatically. 

Integrating Veracode with our pipelines is an easy process. We simply use VML files and the integration is done automatically for us.

We currently have approximately 55 microservices, composed of various teams. Altogether, there are about 170 people utilizing Veracode.

I recommend becoming as familiar as possible with Veracode before using it. Even watch online tutorials to ensure that the deployment goes as smoothly as possible.

Veracode is part of our overall security program. We use it to scan our daily build pipelines and all our fielded releases. The primary features we use are static application security testing and software composition analysis.

We analyze third-party libraries for known vulnerabilities and taking action. Veracode is also part of our release procedure. We put the artifacts from the record and attach them to the release documentation to provide our customers with those documents if needed. 

Veracode has improved our product because we're gradually finding fewer and fewer issues through external security scanners or penetration testers. It plays an important role in the continuous integration quality assurance chain. We started using Veracode when it was supporting a 2017 standard. When the security standard changed to 2021, we received new issues. 

We adjusted the policy and no longer have any medium-priority issues in our scan results. It has increased the quality of our security while enabling us to pass the two historical standards and maintain compliance. We have analyzed and cleaned up several thousand issues since we started using Veracode. 

We use our internal policies for the WAF Security Standard, but it isn't an industry-wide policy. We do not use PCI DSS, etc., but it shouldn't be a problem to comply with that stuff. For example, PCI DSS isn't applicable to our case because we aren't managing any credit card data, working with medical devices, or doing anything involving the military. Some standards aren't applicable. 

Veracode offers visibility into vulnerabilities at every step of the pipeline. Every night, we build source code and mark everything that was merged during the day. We check those reports once weekly and correct some issues that were detected. For software composition analysis, it's even easier because every time the record updates, Veracode sends emails to the security team. It also makes me aware of some newer capabilities in software composition and analysis. 

It showed us a lot of flaws in various parts of our product and helped us visualize a lot of issues that we previously didn't know about. We had static code analysis, which is a bit different than Veracode. We were using a static code analyzer from Visual Studio, and it was mostly about development best practices. When we started using Veracode, we realized there were more problems that static analysis alone wasn't catching. It's an excellent tool for showing the vulnerabilities in your software. 

It helps us save time and effort for a portion of our production. For example, if  you're scheduling to release product improvements in the spring, you don't want to fix anything after it goes into production. From that perspective, fixing things before the code is released saves us time. It also protects our reputation because fewer issues enter production. 

It sometimes saves our customers some time because they don't need to perform their own secret analysis because we've already analyzed the product and can provide them with the results much faster. 

It's hard to say that any single feature is the most essential. There are many errors and vulnerabilities in software today in the standard libraries for different vendors because. We don't need to reinvent the wheel every time because we're using standard libraries, and it's important to know that your security isn't compromised because you use libraries with vulnerabilities. 

We use Veracode as a quality gate. We do not do continuous delivery or continuous deployment. We're releasing about twice a year, so we use it as a quality gate in this situation. We should analyze various types of patch software. From my observations, it has been an excellent tool so far. We also have an external penetration testing effort, and the testers have not found any issues, so that tells us that Veracode has been successful at preventing issues from entering production.

I use the software bill of materials. Our product consists of many systems and components and redundancies that must be processed manually. We are in contact with the Veracode guys, and I think the next release will have this software bill of materials added. It isn't a problem with Veracode. It's a problem with the way we upload and build sources. In the implementation stage, we want the results as fast as possible, and we've done it in a way when we upload. It can be optimized when we upload it to Veracode. 

Sometimes Veracode gives us results about small glitches in the necessary packages. For example, we recently found issues with Veracode's native libraries for .NET 6 that were fixed in the next versions of those libraries. But sometimes you do not know which version of the library particular components are using. 

The downside of that is that one day, the solution found some issues in that library for the necessary package we spent. Another day, it found the same issues with another library. It will clearly state that this is the same stuff you've already analyzed. This creates some additional work, but it isn't significant. However, sometimes you see the same issue for two or three days in a row.

In our project, we use a lot of limited packages that link to another library, and there may be issues in those reference libraries. For example, one library might be referenced by several Google packages. When it shows you a vulnerability in one library, you will not see the issues in all libraries. We've discussed the issue with the Veracode team, and they investigate a way to fix this. Hopefully, it will not be an issue. 

I have used Veracode for several years. I've led our product toward Veracode standard certification.

I rate Veracode support eight out of 10. We had to contact support several times in the early years about a licensing issue we faced. We had some false positives in the licensing report from Veracode, so we raised a ticket with the support team, and they resolved it relatively quickly. We have regular meetings with a dedicated representative from Veracode, but we also get help from our colleagues on staff. At the moment, I'm happy with their support. They provide us with the necessary level of quality.

Positive

We used SonarQ, but it's somewhat different because it's a pure static code analysis tool. Veracode has a stronger focus on web security, and we produce a web-facing product, so that's important to us. SonarQ is strictly a static code analysis tool. 

Veracode's setup was pretty straightforward, but there were a few challenges integrating it with our continuous integration system because there are lots of components. We wanted our source code scanned daily, so we had to change our build process. It's a bit tricky getting it to work with various parts of our solution. Our product is too complex, and there are lots of applications and flavors.

We did it ourselves because we have sufficient expertise. We're still tuning up our build process and reports. They have comprehensive documentation. We had help from Veracode support, who answered our questions about integrating the solution with our software. It was mostly building and tuning a little to build our software in debug mode and deploy it back into our cloud.

We can measure our ROI in the amount of issues we discover and remedy. From a quality control perspective, a problem is more expensive if a customer reports it. If we take price into consideration, we've decreased the net cost of security because we're receiving fewer issues from our customers. You must also consider the reputational cost if the customer needs to implement the fix. 

If we find the issue after the fact, we need to provide our customers with the fix, and that may require some additional processes on the customer side. However, it's hard to calculate how much money it saved us.

We are not using the licensing much because we have a strict internal licensing policy. We mostly avoid GPL licenses and their flavors. Managing the licenses can be tricky. Sometimes you add a library and build some functionality around it, so it may cause some problems to remove it from its source. 

Cost is an issue at every stage because you need to evaluate what you're spending and what you expect from the project. You should use common sense and clearly understand the pros and cons. It's hard to say whether the solution is cheap or expensive because it depends on your company's needs. Some companies need Veracode for compliance requirements, and it doesn't matter how expensive it is. It's costly, but it's the best in the industry. You can get something that does the job but it's like a car. You might buy a clunker for a few hundred dollars or an Infiniti for a hundred thousand. 

We tried another solution before we started using Veracode. I believe it was HCLAppscan.

I rate Veracode eight out of 10. You should evaluate at least two vendors based on the company's needs. A host of issues need to be addressed, and it's a significant task. Veracode shows you many issues, but you must develop processes to address them. It was impressive when we first scanned our sources and found a thousand, but we had to develop compliance policies to deal with them. My advice is to not make the policies too strict. For example, you can start with high-priority issues. 

When we develop an application with source code built on Java, JavaScript, and mobile technologies such as Android and iOS, we ensure that the source code is free from security vulnerabilities before sending it to production. To achieve this, we package our source code and scan it using Veracode. This scanning process is our primary use case.

We set up pipelines for this purpose, and the warehouse operates on a cloud provider. To make the Veracode API calls for support, we utilize Veracode API libraries which use the URL that is hosted on the cloud. We then initiate a scan on our source code, which goes through different stages, including scan, upload, rescan, validation, and finally, we obtain the results.

Veracode provides visibility into the status of applications at every phase of development to a certain extent. Veracode scan reports present a comprehensive view of planned releases that are scheduled to go live in the coming days. To keep the team informed, we run a scheduled deployment, sending email notifications twice a week for each application. This alerts the team to any issues that may need fixing. However, it's worth noting that the system is not fully integrated into the pipeline and notifications. Nevertheless, Veracode offers an API. This interface allows us to obtain the XML result file, and subsequently, I can extract and analyze the values from the XML. Once the scan is complete, Veracode API will fetch the XML report and store it in my workspace within the pipeline. From there, I can execute an XML parser function to obtain the application status results.

Veracode has been helpful in reducing our developers' time by around fifty percent. For an application to meet internet safety standards, the code must achieve the VL4 level in Veracode. According to Veracode reports, our developers can focus more on resolving the issues rather than trying to identify them.

The most valuable feature is the seamless automation of Veracode via the pipeline, in comparison to other solutions like Fortify SSC, which are complex to integrate through the pipeline. Although there is a lot of coding involved in writing each end, Veracode breaks the process down into multiple steps. We first package our source code and upload it, after which a pre-scan is conducted. If the pre-scan identifies any files that don't conform to the Veracode format, it will display a warning or prompt us to correct the issues before proceeding. This allows us to have programmable control; in fact, we can program Veracode so that after the upload is completed, it automatically scans the files to check if they are all in Veracode format.

For example, my ZIP file contains a hundred files. Out of these, ninety files meet Veracode's criteria, while ten files are incorrect. I can instruct Veracode, through pipeline automation, not to wait for manual action and continue with the scan or upload the scan results. Veracode can automatically proceed with the selected files in this scenario. All of this can be controlled programmatically. Furthermore, once the scan report is generated, it becomes available in the workspace, and we can send an email with this report as an attachment. This type of report is referred to as a detailed Veracode report and can be customized. Typically, we prefer the customized report, while some developers may also opt for XML reports. The ability to manage this sequence of steps in the Veracode scan is programmable and can be handled accordingly.

Veracode's false positives have room for improvement. For example, if there is an applicant named ABC in Veracode. I have uploaded my Java file, which contains a hundred lines of code. I suspect that the ninetieth line includes a hard-coded password. Thus, during the scan, it will identify the presence of a hard-coded password on the ninetieth line and suggest how to mitigate and resolve this issue. In the next scan, I added fifty more lines of support and fixed the password-related problem. However, the line containing the password is no longer at the ninetieth position; it has moved to the hundredth line. Despite these changes, the next scan still detects the password flaw. Even though I encrypted the password and added the required string, the issue continues to be flagged. This constant flagging of the issue, even after resolving it, is one of the major drawbacks. To overcome this problem, we decided to create another application. This action was taken to prevent the recurrence of such issues. In the future, when I have a release in the coming months, I cannot keep encountering this problem repeatedly, as it still flags the issue as long as the code is in a different line. We have spoken to the vendor several times about this issue and scheduled a work order consultation call, but we did not receive a response.

In order to achieve software consolidation and analysis reports for Android applications, we need to utilize a third-party utility called SourceClear along with Veracode scanning. This complicates the market and has room for improvement. 

When scanning a file that is over one gigabyte in size, there is a high chance that Veracode will continue scanning. When we initially encountered this issue and investigated it, we raised a ticket. As a result, a Database Lock occurred, causing Veracode to become stuck.

I have been using Veracode for almost four years.

I would rate the stability at seven out of ten, considering the false positive issues we are experiencing.

Veracode is scalable.

I am not entirely satisfied with the technical support because I believe we have been waiting to send our code to production and waiting for an update from the vendor to resolve the issue. When we raise a support case, there is no response, and even after it happens two or three times, I don't know if they read the details of the issue when a ticket is raised. If someone has already attended to the same call, they will not attend again; instead, a new person handles it. Consequently, we have to explain everything all over again to the new person. We are aware that they know they don't have a solution for this problem. However, by the time we explain it to the new person, they ask the same questions again. Each consultation lasts 40 to 45 minutes, and we are billed for them, but we spend most of the time repeating what the issue is.

Neutral

The initial setup is straightforward. Even the pipeline setup is easy because there is an API, so we don't need instructions. Veracode is hosted in the cloud, so we need to set up a firewall to connect to it via proxy. The deployment took a few weeks because we had to figure out how to perform the scanning from the pipeline, enable the scan, and upload the scans for each Veracode API. Additionally, we had to seek assistance from HR to implement all the steps, which took some time.

I give Veracode a six out of ten.

We cannot simply create one policy and claim it is compliant unless all my issues are thoroughly flagged based on that compliance and the complaint. As technology improves and we move forward, bugs and certain issues may arise, and we may not always know the solutions or the severity level of their impact. Considering this perspective, Veracode is acceptable. I will illustrate this with another tool, Fortify SSC. Suppose there are newly added licenses or rules for software compliance in their security scanning tool. In Veracode, if I wish to update the new compliance tools or checks that the algorithms run against it, I must obtain approval from the architect. This approach has its advantages. However, in the case of the tool I am currently working on, Fortify SSC, there is something called a 'rule pack' for each language. I have the option to keep the existing version of the rules or upgrade to the latest rule pack. This feature works as a toggle option in Veracode.

Tuning policies is essentially the application of specific policies. When we deploy a policy, it affects all our scans and issues. The new policies applied are divided by Veracode and, when implemented, impact all the applications. Therefore, most of the time, when we apply a new policy, there is a chance that if there are three flaws, we can assume there are thirteen million flaws in my current scan. If a policy is applied, there are definitely ten to fifteen additional issues in the new scan after implementing the updated policy. Thus, there is always an increase in the number of flaws when there is a new policy update.

There are certain flaws. For example, I am releasing a package into production, and I conducted a Veracode scan against the source code, which is stored in the bin bucket. So, even if I fix the issue on my own, the same issue will be flagged again due to the change in client number. This is a significant problem because we cannot explain to the higher management that the report contains the password, and we have already taken measures to mitigate the issue. We cannot claim that this issue has already been fixed, as it continues to resurface. It is a Veracode issue, not one originating from us, but it becomes complicated when higher management sees a report indicating the same issue from the previous month. We don't know what to do. One of the ways we addressed the issue was by reducing the number of times the same issue occurs. For instance, in my previous work at a bank, we had applications specific to each country, like one for Singapore, one for Malaysia, and so on for most Southeast Asian countries. Although our master bank application was the main source, we created individual applications for each country in Veracode. As a result, the number of false positives or issues that were previously mitigated or closed and kept reappearing from month to month was reduced, but they were not completely eliminated. By switching to a different application for each country the false positives were reduced by around seventy percent.

Our organization was approached to adopt Snyk; however, it is a startup solution, and the bank prefers something that is well-established. Currently, we are using Fortify SSC. 

We have a five-person IT team that is responsible for all the DevOps tasks, including Veracode.

Compared to Fortify SSC, which has a complicated setup requiring three installations, Veracode is easier because the app is hosted in the cloud. All we need is a support license, and they will create a project for us. We can create a firewall proxy, and the API pipeline is already in place. To create a scan for another application, we simply copy and paste the code and change the application's name. 

The main purpose of Veracode is to deliver secure code on time. We use it to test our application security, at the implementation stage to make sure that code is secure. We do static and dynamic testing, as well as penetration testing with Veracode. We also use it for security threat detection for our enterprise applications.

It empowers our developers to fix security issues and achieve desired outcomes. It's a very secure cloud platform and helps us monitor our web sources for any attack. We have been able to completely secure our enterprise software, which is on the cloud, with the solution. Overall, we have been able to reduce the risk factors for our enterprise software. Also, determining security threats to our application happens faster now with the help of Veracode. The benchmarking capabilities against industry standards and the compliance help us a lot.

Veracode also provides a lot of programming language support and different frameworks are available, which enables us to get things into production much more efficiently. Our SDLC has become much smoother and more secure with Veracode.

And it has definitely helped our developers save time. It helps them with future references because, if they write code one time with errors that Veracode finds, the next time they use that as a reference and don't repeat the mistake. In that way, in the continuous development process, a lot of time is saved. It saves us about 20 percent of our time.

We are able to create more applications now, and code more, while worrying less about errors while coding. Worrying about fixing the flaws in an application is completely taken care of by Veracode, so we are able to focus more on creating new code and developing new applications. Veracode has been a great platform for that particular purpose.

We have also found more security vulnerabilities in our code, which has helped us produce much better applications for our end-users. Most of the time, vulnerabilities go unnoticed by humans. Veracode helps us pinpoint the exact vulnerability, what it affects, and it helps us correct it for future reference.

One cool feature is the static code scan, which is very good. 

Also, the dashboards and the threat insights it provides are very good. The dashboards are intuitive and pretty straightforward, but also pretty detailed.

We get good, actionable insights at each stage, including static, dynamic, and penetration analysis, and it reduces overhead for us. 

It also has compliance monitoring and reporting capabilities that I like very much. The compliance reporting is a great feature because there are a lot of different frameworks and channels, and each unique channel has its individual compliance monitoring and policies. Veracode helps us prepare for all the different challenges.

The false positive rate is a gray area. The number of false positives could be reduced a lot. For each good result, we are getting somewhere around 15 to 20 false positives. We expect false positives, but if that ratio could be reduced to a single-digit number for the false positives, that would be much more helpful.

We are spending some manual effort and time on this because it happens sometimes, when we first scan code, that it says there is no threat. And the second time we scan it, it says there is a threat. Those kinds of positive responses make us do double work. If that was better, it would greatly improve our overall efficiency.

Apart from the false positives, I would like to see more plugins and integrations to make Veracode much more user-friendly for developers and users. Any IDE plugins would make our work faster.

My experience with Veracode has been over 12 to 14 months.

Overall, because it is a cloud platform, stability is not a concern. It's quite stable. To be strict about things, the UI can be very slow. There is downtime now then, and I understand why it happens, but I would appreciate it if that happened less.

We are not going to scale it right now. We have about 18 developers and five or six administrators using the solution, and I don't expect that will change for now. But you can purchase more licenses. It's definitely scalable in that sense.

We have it in a single location only and it is used across three or four development teams in our office.

Veracode support is very knowledgeable and very prompt. The Veracode community is also available, which is very good.

Positive

It's only deployed on the cloud. Although I was not a part of the initial deployment, I know for a fact that the deployment can take a long time.

As for maintenance, there are software updates, but apart from downloading the software updates, there isn't any other maintenance required on our side. It's a cloud platform so it self-maintains.

Our ROI is that we have seen a tremendous increase in the overall security of our enterprise software. It has helped us engage better with our clients and our retention rate has increased about 7 percent. We can't pinpoint that directly to using Veracode, but since we started using it we have seen this retention increase.

The pricing is fair. We are planning to renew for the next year.

It's definitely value for money. I would tell someone who is looking at Veracode not to be concerned about the pricing because the value that they will get, for this price, in the market, is very good when it comes to their long-term plans.

If a proof of concept is possible, I would ask you to try it out first to get a sense of what Veracode is before investing. But investing in this tool is very much needed. With security threats, for long-term purposes, the code-level threat detection and code-level error detection are very much needed by any organization.

We use Veracode for product testing.

We exclusively utilize Veracode for a product used in our consulting services, which we provide on a licensing basis.

We deploy Veracode in the cloud and can utilize any cloud provider, including Google Cloud, Azure, and AWS.

Veracode's ability to prevent vulnerable code from entering production is both effective and thorough.

The SBOM feature is straightforward, making it easy to create reports. The SBOM feature is crucial to our organization because we can utilize the report to effectively present a product to customers, demonstrating its viability and security. 

Veracode has helped us improve our secure coding practices, which, in turn, has boosted our confidence in selling our products.

We were able to experience all of Veracode's benefits for our organization within the first year.

Veracode helps to provide visibility into the application's status at every phase of development. This helps us ensure that our code is secure from the start, saving us time that would otherwise be spent sorting through bugs at the end. 

Veracode's false positives are beneficial for our developers as they assist in organizing and understanding the implications of these false positives.

Veracode has helped our organization address flaws by identifying our mistakes. The initial usage of the solution was challenging due to the large number of code lines that needed to be read, but it became easier over time.

I find all the features valuable, especially dynamic scanning, static scanning, and software composition analysis.

When we engaged Veracode to conduct the manual penetration testing, they were extremely slow in completing the task and delivering the report, causing a delay of two to three weeks for us. The duration of the manual penetration testing process needs to be improved.

The cost of the solution can be reduced.

I have been using Veracode for two and a half years.

Veracode is a stable solution.

Veracode is scalable. Veracode is used by around four people in our organization.

The technical support response time is slow. 

Neutral

The initial setup is straightforward. Veracode is a virtual platform, so all we need to do is upload the code, and it will be ready to use. The deployment was carried out by one of our senior product managers.

The implementation was completed in-house.

Veracode's pricing is on the higher end, but it is acceptable.

We evaluated multiple solutions, including BlackBox, three years ago. However, Veracode was the only solution that had all the features and also had a proper certification system in place. The other solutions did not provide a comprehensive suite. For instance, they offered static scanning but lacked dynamic scanning, whereas Veracode provided both, along with a training module.

I give Veracode an eight out of ten. The solution is comprehensive, albeit a bit costly.

We have not observed any impact on our policy reporting and compliance with industry standards and regulations since we started using Veracode.

The false positive rate is slightly high, but we are able to manage it. The false positive rate of the static analysis has not affected the time we spend on the tuning process.

Veracode has not affected our developers' time significantly, as the response rates for certain tasks have been slightly slower.

I recommend conducting a cost analysis and rate of return evaluation to determine whether the solution is worthwhile. I highly recommend using Veracode for complex products, but it may not be as valuable for simpler ones.

Veracode does not require any maintenance.

I have learned that it is necessary to plan our strategy for the product and security prior to using Veracode.

We are a Veracode reseller and we utilize their solution for software vulnerability analysis. Our primary objective is to identify any security issues in open-source libraries that have been rejected. Additionally, we perform dynamic code scanning and employ Static Application Security Testing for comprehensive application security testing.

Veracode prevents 100 percent of vulnerable code from entering production.

Veracode has assisted our customers in deploying safely, thereby reducing both risk and hassle. Additionally, the solution has aided in reducing the costs associated with problem resolution. We noticed the benefits within the first day of using Veracode.

Veracode's policy reporting for ensuring compliance with industry standards and regulations is excellent. We only need to specify the regulation we must comply with, and the report will be generated instantly.

Veracode provides visibility into the status of applications at every phase of development. It is one comprehensive integrated system, but we can also utilize specific features like SAST if we require it.

In the absence of Veracode, the security team typically informs the developers about the policies that must be adhered to, and they enhance the code in a manner that ensures compliance. However, when Veracode is utilized, this step becomes unnecessary. Each individual focuses on their respective strengths, allowing for seamless collaboration.

We have compared Veracode with other solutions, and its false positive rate is the lowest in the industry.

Veracode's low false positive rate is key to our ability to avoid being burdened by false alerts and focus on fixing code.

Veracode's false positive rate of the static analysis has helped save us time.

Veracode helps fix flaws. Our customers have reported that it is faster and more compliant, making it easier for them to send out reports to various stakeholders when they have questions. For example, when dealing with higher-level management, we can create a report containing comprehensive statistics and informative pie charts, which greatly assists them. Additionally, this helps demonstrate the value of Veracode during internal assessments.

Veracode helps our developers save time. 

Veracode helps improve our security posture as it ensures compliance and simplifies the process.

Veracode helps our developers save costs.

Static code scanning is the most valuable feature. Moreover, Veracode integrates with various frameworks and workflow solutions.

Veracode has the capability to identify flaws in the code. I would like Veracode to also have the ability to fix these flaws in a future release.

I have been using Veracode for four years.

Veracode is an exceptionally stable solution.

We can scale Veracode from one to thousands of applications within a minute.

Veracode is used by some of our customers for individual applications, as well as by others for thousands of applications.

The technical support is great.

Positive

In addition to previously using SonarQube, we also employed several other solutions before transitioning to Veracode due to its superior reporting capabilities.

The initial setup is straightforward. The deployment time depends on the size of the built solution. If we consider a relatively modest number of apps, I would say that they can be up and running within a day or two. We first completed a good analysis of what our customer wanted and because Veracode is a cloud solution, we can have a code scan running within minutes. It is easy to integrate other frameworks and work with applications that are already integrated with Veracode. One product owner or software developer can handle the deployment.

The implementation was completed in-house.

With Veracode, the benefits are clear, and we can see a return on investment through the visibility it offers. This enables us to fix flaws sooner, thereby reducing the time to market for our customers.

Veracode provides value for the cost, with no additional charges apart from the standard licensing fee.

I would rate Veracode a perfect ten out of ten because it consistently delivers on its promises.

Those who are concerned about Veracode's price should be aware that the solution holds value. Additionally, they should consider that other solutions are on-premises and require additional fees for reporting traffic processed, unlike Veracode.

The maintenance is all taken care of by Veracode.

Veracode is so straightforward that I have no advice to offer to anyone.

There are many companies out there that do not consider code security when thinking about cybersecurity risks. This holds true even for larger companies, where it is still a greenfield situation.