Veracode Reviews

We use Veracode to scan our websites at the beginning of the development process. When we are ready to launch a new application on the website, we upload it to Veracode for scanning. Veracode finds any vulnerabilities in the code and returns the results to us. We must then resolve all of the vulnerabilities and mitigate any risks before we can publish the application. We have also set up recurring scans, so that any time we release a new version of the same application, Veracode will automatically scan it again to ensure that we have not missed any vulnerabilities. We have been using Veracode for six or seven of our websites.

Veracode's ability to prevent vulnerable code from entering production is comprehensive and effective.

Veracode has been very helpful as a preliminary step to launching our products to ensure that they are secure. It has also helped our developers learn the security checkpoints that we need to follow so that they can code with security in mind.

It provides visibility into the status of our applications at every phase of development throughout the software development lifecycle. We heavily use the Veracode Greenlight plugin for Visual Studio to scan and check our code as we write it. Veracode also helps us to develop our applications securely. We have configured our QA websites to be scanned by Veracode so that we do not push anything into production that is insecure.

I recently encountered a Veracode false positive, but we immediately mitigated it on our end. Veracode also filed the case and will include it in their code to mark it as a false positive. We took action after that.

False positives are rare. Veracode provides us with enough information about the issue, so we can usually identify them as we go through the report. We are also learning from the issues and from Veracode itself. If a false positive is reported, it is fine and does not have a significant impact on us.

Veracode has been incorporated into our process, which helps us fix flaws. Whenever we develop external websites, we consider the code, the scanning, and everything else involved. This ensures that we are prepared and have enough time to receive the scan results and fix any issues. We have essentially incorporated this into the lifecycle of our project, which I believe is very valuable.

We like the fact that all the issues are identified and that Veracode provides sufficient information on how to resolve them. This is very helpful if we need to troubleshoot problems ourselves, as we have plenty of information at our disposal. Additionally, we appreciate the option to request a consultation directly from the issue itself. Whenever there is a problem, there is a small button that says "Reach out to a consultant." We can then schedule a call with a consultant who can help us resolve the issue.

Veracode provides us with some usage metrics. These metrics are based on the number of times we use Veracode, which is tied to our static scans. We only use static scans when we make changes to our code, and we have a part of our pipeline that runs the Veracode scan whenever we make a change or deploy the code. However, we don't deploy code very often because we have 20-30 websites in our company and we don't dedicate a lot of time to each individual website. So, when we do make changes, we will run the scan because it's part of the pipeline, but this has been affecting our usage metrics. We're not sure why Veracode's usage metrics are designed this way, but maybe they can provide some insight. We use these metrics, but we're now thinking about getting different metrics from Veracode. I started looking into setting up some dashboards myself so that we can have our own dashboard and statistics, such as how many flaws we've resolved in the past six months or how many issues we've identified when we're deploying a new website. We're more interested in these types of statistics than in how many times we're using Veracode because fixing flaws is the value that we're getting out of Veracode. Maybe setting up a new dashboard would be helpful, but that's something that Veracode can provide clarity or insight on.

I have been using Veracode for four years.

Sometimes, the scans halt or drop for some reason, and we need to get help from Veracode to fix it. However, this is not a major issue.

I opened a support ticket to use Veracode's consultant feature. When the consultant called me, the consultation was very smooth and easy. He had already reviewed the flaw that I had mentioned, my description of the issue, and the issue itself. He was able to provide good insight and help me resolve the issue quickly. I have done this a few times before, and the consultants are always well-prepared and give me all the suggestions I need. They already have a lot of information on their website, but they also go above and beyond by providing additional information and specific instructions when I schedule a consultation call. They have been very helpful in the past.

Positive

The deployment was straightforward. Three people were involved in the deployment.

The implementation was completed in-house.

I would rate Veracode nine out of ten.

Veracode has a bit of a learning curve to get used to its different modules, such as our integrations, APIs, and our policies, as well as getting insights. However, my experience is that once everything is set up and scanned on the website, I really like the process of reviewing the flaws that Veracode lists and responding to the resolution steps that it provides. I also appreciate the ability to set up a consultation call and have the issue resolved. I think these are the steps that I really like, and they are helpful to me as a developer. Veracode helps me to learn about security considerations first and foremost, both while creating an app and after, and that has been a good experience for me.

We use it for security, to analyze our code.

It changes the DevSecOps process because we find flaws much earlier in the development life cycle, and we also spot third-party software that we don't allow on developers' machines.

It's bringing clarity to the flaws that we can mitigate, and that's the main purpose. We can have a brisk conversation about the flaws. Not all flaws need to be fixed because there might be other protection measures implemented.

Veracode has increased our level of security to the highest possible standard, so we have been able to be ISO certified and meet Microsoft compliance. We have met many industrial standards from a compliance perspective by having this high level of security and trust in our application. That applies to our platform as well, because the dynamic analysis has opened up vulnerabilities in the platform.

We are using three of the features. Static analysis, dynamic analysis, and the code composition for third parties. We also use their Security Labs for training.

Veracode does a great job of preventing vulnerable code from going into production, and its policy reporting for compliance is also very good. It meets our needs.

And if you use it correctly and bring early feedback into the developers' environment, it provides visibility into application status at every phase of development. But if you only use it as an analysis after the product has been built, then you don't have the whole life cycle. So it really depends on how you integrate Veracode. For us, it gives full insights.

There might be room for improvement in the in-app guidance and the tips and tricks for the developer about how to progress. We would like more insight into the development environment, where they would get guidance on how to avoid flaws.

I have been using Veracode for the last three years.

We use SonarCloud, which does a different type of analysis on the static code but not on the compiled code. It's a different way of detecting security flaws.

I was involved in the deployment of the solution all the way through, from purchase to acquisition and deployment. It involved a lot of new learning. But we had a very good implementation consultant from Veracode assigned to us who made it pretty simple for us. I don't think we could have done it ourselves.

We did a proof-of-value exercise, which included educating two senior developers. The total implementation time was about two months. We focused on one area of our application and got the scanning process up and running and stable. Then we started applying it to more applications.

We only used two people from our organization to complete the work. Then we educated all the developers about using the extension with the EDI. We then found a person who would be responsible on each delivery team who ensures that their application is maintained within our policy level. Each team is responsible for keeping their application within those standards.

We got help directly from Veracode. I would rate their help at eight or nine out of 10. They helped us implement it into our pipelines, daily processes, and software. And they helped us understand how to mitigate the flaws and how to open up consultation hours if there was something we disagreed with, such as false positives. They gave us very good onboarding and implementation.

From a commercial perspective, the impact that the Veracode certification has had on our ability to sell to large enterprises is non-debatable. The return on investment has been met, for sure. It took six months and occurred when we had finished implementing and got the certification.

We haven't really done any price checks on the competitors.

We purchased a Security Labs license to keep our developers trained in new security practices.

Every development company is different. If someone is looking at Veracode but concerned about the price, it probably depends on their technology stack. There are pros and cons for every decision. As a happy customer, I can say that the service level that I have received from Veracode has been high and understandable every time That also counts a lot. And it's not about the software; it's about how we actually utilize the software best.

We had three or four other candidates from the reports that we evaluated from a user review site, but we ended up deciding to use Veracode because it had the best price and match for our technology stack.

At that time, Veracode's advantage was predominantly because it was SaaS-based software, and the implementation team was very supportive in making sure that we got it properly integrated into our processes.

The false-positive rate is constantly maturing. It's very much based on how many respond back. It's learning based on the false positives. My team thinks that it's better to have a false positive many times than miss a real one. The effect on developer confidence in the solution when fixing vulnerabilities is that it sometimes leads to frustration because they find that it's slowing them down, but the way that the engine is constantly maturing means it is becoming better and better.

I don't think any security or quality analysis tool brings speed. But it increases the quality, both from a risk/security and reliability perspective. But if you're looking at productivity, none of these tools bring productivity. They mitigate risk. It has not made our development process faster.

It's a fast solution, so we use it to search for vulnerabilities in our code, software composition analysis, and to search for vulnerabilities in our libraries. 

We have some security gates and it's not possible to release some applications from production. We can look at the solution and see medium, high, or critical vulnerabilities with ease at every stage. 

The speed is the most valuable aspect.

Veracode's ability to prevent vulnerable code from going into production is very good since we have a few false positives. I'd rate this feature nine out of ten.

Veracode's policy reporting for ensuring compliance with industry standards and regulations is great. It has a detailed report that we can look at to see our landscape easily.

Veracode provides visibility into application status at every phase of development Verticode static analysis, dynamic analysis, software composition analysis, and manual penetration test throughout your SDLC. It positively affects our DevSec processes. It's not possible to bypass Veracode. It's very secure.

There are very few false positives. I'd rate the false positive rate as nine out of ten. It's very good. It's very positive for developer confidence. They understand security development very well and Veracode provides excellent transparency.

It's reduced the time we've spent on tuning policies. We've saved around two hours. We used to waste around 3 hours and now we can do what we need to in 30 minutes.

It's helped our team fix flaws. The security gate helps our developers learn how to fix vulnerabilities. The solution has also helped them save time in their efforts. It provides descriptions of how to fix certain items. It saves them from having to search on the internet for fixes.

The solution has had a positive effect on our security posture. I'd rate it nine out of ten. We have very secure applications. 

They could improve how they fix vulnerabilities. They could have more support in place to help the developers. That would help a lot of users.

The pricing can be improved. It is really, really expensive. 

I've been using the solution for five years. 

I'd rate the scalability nine out of ten. 

We have about 500 end users of Veracode in our organization.

I'd rate the scalability ten out of ten. It's very good. 

Technical support is good. They are always communicative and share news and new technologies. They offer new languages and frameworks regularly.

Positive

I previously used Checkmarx in the past, as well as Fortify. I used it in another company. However, in banking, it's not possible to use something like Checkmarx. Veracode is more secure and more trusted. 

I was involved in the deployment. It was not complex to deploy. It was straightforward. The implementation strategy included looking at different flags and vulnerabilities and deploying in phases. 

We had five to seven people to deploy the solution.

I'm not sure if there may be maintenance required.

We used a third party to help with the deployment. Our experience was good. 

I'm not sure of the exact amount saved, however, we have noted an ROI. We have avoided application vulnerabilities in production. We don't need to rework things since we look at the vulnerabilities right in development instead of after deployment. 

It has reduced the cost of dev backups in our organization. 

The pricing is expensive. 

However, if you have applications and not enough people to analyze the flags, you must use Veracode as it delivers very few false positives.

I did evaluate other options before choosing Veracode. I looked at Checkmarx and Fortify as well as a solution made in Brazil.

We are a customer and end-user.

I'd rate the solution nine out of ten.

I'd recommend the solution to others. 

We use Veracode to ensure our solutions meet the security standards in the financial industry in Nigeria.

Veracode does an excellent job to prevent vulnerable code from entering production.

Veracode ensures that the products we create for our clients are free of any code-related issues. This keeps them satisfied with our service and encourages them to continue doing business with us.

Veracode provides peace of mind and increases confidence in our code within the market. We realized the benefits within a few months.

At first, we experienced a high number of false positives, but the Veracode team provided guidance that enabled us to significantly reduce the count.

Initially, our developers were frustrated due to the high false positive rate. However, as we managed to reduce the number of false positives and the developers recognized that these were not actual issues, their morale improved, and their acceptance of the use of Veracode increased.

The false positive rate of the static analysis reduced the time that we spend on different operations.

Veracode has had a significant impact on our organization's ability to address flaws. The solution is capable of detecting issues and providing suggestions that assist us in rectifying problems within the code.

Veracode helps our developers save time. We review the recommendations provided by the solution, adhere to our best practices, and then proceed to implement these suggestions. In cases where we might have had three lines of code, the solution is capable of reducing that to one or two lines. I would estimate that Veracode has decreased our developer time by 40 percent.

Veracode enables us to enhance our security posture by applying the knowledge we acquire through Veracode to all our new projects. Additionally, we can revisit previous projects to implement upgrades and add features, thereby enhancing their security.

Veracode helps to decrease our DevSecOps costs by saving our developers' time and aiding in the production of error-free code.

The static scan is the most valuable feature. We are also currently evaluating the Dynamic scan.

Veracode is costly, and there is potential for improvement in its pricing. In our region of the world, it is challenging to attract a significant number of sign-ups due to its unaffordability.

I have been using Veracode for one year.

Veracode is stable.

Based on the limited interaction we've had with technical support, I am satisfied with their service.

Positive

We used a tool in the past that was free, but we couldn't depend on the quality of the scans it provided in the free version.

The cost of Veracode is high.

There comes a point when we must make a decision between cost and quality, and we chose to prioritize quality by selecting Veracode. The confidence that Veracode instills in both our developers and clients justifies the associated cost.

We have four solution licenses for the static analysis scans.

We also evaluated one of Veracode's competitors. After conversing with the sales and technical teams of both solutions, we concluded that Veracode was the best choice for us.

I rate Veracode an eight out of ten.

We are currently in the process of investigating Veracode's capability to offer insight into the status of applications at each stage of development.

We use Veracode to scan our codes for vulnerabilities and risks.

Veracodes' ability to prevent vulnerable code from entering production works very well and it can detect the type of script used.

The software bill of materials helps us understand the industry that we are in and ensures we have a stable solution.

We can easily create a report using a software bill of materials because it has good templates that we can use.

Veracode has improved our organization by allowing us to fix the flows quickly for our clients by making data coding easy.

Veracode provides visibility into all phases of development.

The visibility into our development provides confidence to our DevSecOps that they will be able to deploy on time with no errors.

The false positive rate is good but we require a lot of skills to utilize it properly.

The false positive helps our DevOps troubleshoot every stage of development and increase their efficiency which boosts their confidence.

Veracode has helped our developers save around 20 percent of their time.

It has increased our organization's ability to fix flaws. We can scan code in a video which reduces costs and risk.

Veracode has increased security in our overall security posture because it detects flaws during scans.

We have saved around $500 a month in DevOps with Veracode.

Code scanning is the most valuable feature. 

The templates allow us to create wonderful reports.

The software bill of materials feature helps our supply chain security.

The backend support team of Veracode requires improvement as they are difficult to reach when we encounter issues.

The UI is not user-friendly and can be improved.

The speed of our internet connection affects the scanning process, which may take a considerable amount of time to finish. As a result, this can lead to challenges in planning and reporting, causing confusion.

I have been using the solution for three years.

It is stable.

Veracode is scalable.

The support is slow to respond.

Neutral

The initial setup was straightforward. I deployed the solution myself within three days.

The implementation was completed in-house.

We have seen a 32 percent return on investment with Veracode.

The licensing cost for Veracode is fair.

I give the solution an eight out of ten.

Veracode is user-friendly depending on how we use it. 

We have seven people using the solution.

Veracode does not require any maintenance on our end.

Veracode is a secure, reliable, and sustainable tool that all organizations should use for scanning code.

I use Veracode to ensure the projects I deliver don't have vulnerabilities. 

Veracode provides insight into vulnerabilities at every stage, so your team can progress through the development cycle more efficiently. It improves developer confidence by showing us our capabilities and the potential of our code. 

Our developers improve and become more efficient using Veracode. Once we identify issues in our code, it's much easier to avoid the same mistakes in future projects. It teaches them how to overcome those vulnerabilities and errors while reducing costs.

Veracode saves a lot of time compared to traditional methods for identifying vulnerabilities. We save around $500 a month using Veracode because we don't need to hire experts. 

Veracode has improved our overall security posture. We feel assured that applications we deliver to clients or use internally are highly secure. It has helped us develop strategies to create stable, secure platforms.

I like the static scanning, and Veracode's interface is excellent. The dashboard is easy to navigate. I love the Software Bill of Materials (SBOM) feature because it helps you explore various industries and understand what to do to minimize risks and maintain compliance. It's straightforward and ensures my applications are compliant. 

It's easy to create reports using the SBOM feature because it has templates that you can customize depending on the reporting requirements. It gives me a report of the compliance requirements for any industry. It helps us internally and improves the services we provide to our clients.

Veracode is great for preventing vulnerable code from going into production because it covers various programming languages like JavaScript and PHP. You can be confident that your code is secure no matter which language you use.

Static scanning takes a long time, so you need to patiently wait for the scan to achieve. I also think the software could be more accurate. It isn't 100 percent, so you shouldn't completely rely on Veracode. You need to manually verify its findings. 

I've used Veracode for three years.

Veracode is stable. I've been working with it for a long time. 

I rate Veracode support 10 out of 10. They're friendly and responsive. 

Positive

Deploying Veracode is straightforward. I did it with one other colleague. 

We can afford Veracode, but it's too expensive for small enterprises. If you're concerned about the price, you should weigh the benefits you can achieve. It has saved us a lot of money on DevOps. We save about $500 a month by not outsourcing this work to experts.  

I rate Veracode eight out of 10.

It's an excellent product for developing a secure platform that will benefit your company and its customers while helping you build a sustainable development team. Before implementing Veracode, you need to prepare and have at least one person who understands how to use the product. 

In my previous company, we had a healthcare app. We used Veracode to run a spontaneous static analysis as well as dynamic analysis, to resolve our vulnerabilities. We were releasing versions every month. Each month we were looking at the results of Veracode and fixing the problems.

It helps fix a lot of flaws and bugs. As a developer, you look at things with a different perspective with the Veracode results. You can see that certain things can be implemented in another way, how they can be more secure. As a result, it helps improve your level of understanding and decrease the number of production issues.

Using Veracode, it was very interesting to see the difference when I compared things over a three-month timeline. During the initial three months, when I started using Veracode, I found the percentage rate of flaws was around 60 to 70 percent in the entire file we were uploading. After using Veracode over the next three months, our score decreased to a 30 to 40 percent flaw rate. We were able to do our quarterly development in a very secure way.

For example, we recently encountered a flaw that might be exploited. We implemented a function to store passwords that were encrypted. That functionality was written in a pretty vulnerable manner. By looking at the code, we could see, "Okay, this might be exploited." But when Veracode pointed out multiple times, "This might be vulnerable," and "This might be vulnerable," it helped us improve our developer standards. It gave us a brief idea of how this particular code implementation could be improved.

There is also a feature called Veracode Pipeline Scan which provides instantaneous feedback. That was a major addition to our process and has worked out very well. Developers get instant feedback about their flaws, making them easy to fix while in pre-production. That is one of the major boosts that we have implemented. It enables our developers to fix things in parallel, and that has saved time, about 20 to 25 percent, and resulted in better coding. As a security guy, I can see the differences between the initial processes and the processes we have six to eight months after implementing Veracode Pipeline Scan and Veracode in general. 

Overall, it has reduced the time that we used to spend working manually to pinpoint the issues that we found. Veracode makes it an automated process. Also, we can use it in parallel. If Veracode is the main "hub," we can have "sub-hubs" such as static analysis and Veracode Pipeline Scans. Both can be done simultaneously, reducing the manpower required by a lot, and providing correct results. And it has improved our understanding of the different kinds of flaws and vulnerabilities that are in the report. Veracode, as a tool, has made things better.

In terms of security posture, when I had just joined my previous organization, there was a meeting about client feedback. Initially, their comments were that things were not very stable. They said it was easy to steal data. After using Veracode, and as our developers adapted the tool and developed secure code, the client's feedback was that things were pretty stable and good. At first, the feedback was very ruthless. We were not up to security standards. But once we started using Veracode, it became the main pillar of our security. We overcame certain challenges and the client feedback was pretty good.

It yields around 90 percent accurate results. It pinpoints the errors. Its accuracy is very interesting. It also elaborates on flaws, meaning it provides you with details about what is valid or not and how something can be fixed.

Another valuable feature is in the dynamic analysis, which provides information on which libraries are outdated so that we can improve them and get them up to date. We found a lot of outdated libraries in use in our organization. As a result, it has improved our stability. The software composition analysis keeps you updated on each kind of data it reports on, including libraries and third-party DLLs.

There is a sandbox limit of 10 so any company using Veracode needs to plan for only having those 10 sandboxes. If they increased that to 25 or 30, the scan time would decrease and the results should be more effective.

There is also a size limit of 100 MB so we cannot upload files that are larger than that. That could be improved. 

Also, the duration of the scan is a bit too long.

I used Veracode in my previous company but recently changed to a new company. Overall, I have used it for around 1.5 years.

Its stability is fine. On a scale of one to 10, I would give it a seven for stability.

It's a scalable solution.

We have it implemented in two offices, the main office in the US and a single office in India. There are only 10 to 12 people using it in our organization, meaning in India. I am not aware of how many users there are in the US.

Their support team needs to respond in less time. It takes a lot of time for them to respond. When we reach out, we are waiting, most of the time, for two or three weeks to get a reply from them. That is the one major piece of feedback I have for Veracode.

Their technical support is very good, except for the response time. When we are stuck with something technical, they explain how to use it in multiple ways. They are supportive and that is pretty good.

Neutral

We were using a couple of other tools along with Veracode. One was SonarQube and the other was Acunetix.

The false positive rate is pretty low. When I started using Veracode, there were a lot of false positives, but that number became notably smaller. There are some false positives because new types of flaws are generated for each new version.

Initially, in general, whenever you see any kind of false positives or true negatives, it reduces your confidence. But whenever the reports are generated by Veracode, as developers we can understand that they show certain patterns of what might be a false positive. So we get an idea that this kind of a flaw might be a false positive while this kind might not be a false positive. We get clarity about the reports sent by Veracode. At a certain point, we might be sure that we can explain all the false positive data to management so that they can look into them and understand: If this kind of data or this kind of code flaw comes up, it is a false positive. We can easily associate these scenarios with false positives because they are normal and common.

During the initial phase, false positives affect our time because we can't deduce any conclusions. Static analysis is the kind of process in which you will encounter false positives in certain cases. But after a couple of implementations of machine learning, the results should be pretty accurate and the false positives should decrease.

Preventive maintenance is critical. Per my experience with Veracode, there are certain maintenance issues, but they are the normal types of things.

I would highly recommend Veracode, but initially, don't do a deep dive into the tool. Take a couple of licenses to start adapting to the tool and work out how it works and whether it's suitable for your development processes and developers, and get their feedback. I highly recommend it because it's a real time-saver, provides stability, and improves your organization's productivity.

Veracode helps to prevent vulnerable code from going into production. They are providing remediation support. They provide a specific solution. If a code has any vulnerability, they provide the snippet of that code. They also provide recommendations. Their support team is very active. If you have any concerns related to the vulnerabilities, they schedule a call and resolve your issues. That is very good.

With Veracode, there are fewer false positives as compared to other tools. It provides genuine vulnerabilities. It is also user-friendly. They are not only sticking to SAST testing. They also have pen testing.

The visibility that Veracode provides is good. They provide a proper dashboard for everything. We have visibility into the application status at every phase of development - Static Analysis, Dynamic Analysis, Software Composition Analysis, and Manual Penetration Test. I am satisfied with it. We have not integrated it with our DevOps pipeline, but it has all the features for easy integration.

Veracode helps us to fix flaws. They provide very good recommendations. It is very easy for a developer to fix the flaws. They provide a specific solution.

Veracode has helped our developers save time. It has been very useful.

In my experience, Veracode is one of the most powerful tools available in the market from a security perspective. It is a market leader in source code analysis.

I am expecting some AI-related features in it. Also, if someone is using AI-generated code, Veracode should be able to detect that.

I have more than 12 years of experience working with Veracode. 

It is stable. There are no unplanned downtimes. If they are going to have downtime because of maintenance or any other reason, they communicate that to you a week before. They not only inform you by email. They also alert you through their portal.

Their support is good. I would rate them a ten out of ten. 

Positive

I work with almost all the tools available in the market. Its competitors are AppScan and Fortify. Synopsys is also there, and Checkmark is also there.

Veracode is the best tool as of now. That is because of the quality of the product and technical support. Veracode supports all the testing options.

Veracode is a leading tool in the market for code security. It is all about the source code review from a security perspective. It identifies the vulnerabilities in the source code. Apart from this, they also provide services for run-time code. If you have your application in production, it can also find vulnerabilities in that. They also support software composition. If your application is using a third-party library, they can identify the vulnerabilities in that.

It is straightforward. It is easy to deploy because it is a cloud-based service. It does not take long.

They are a mature company. They have already worked a lot on all the things. They keep on coming up with new features. Their R&D team is very good.

The ROI is in terms of time savings and security. If an attack happens because of a vulnerability, it costs a company and impacts its reputation. No one should be compromising on security.

As compared to others, it is a costly solution. It is overpriced, and many organizations with a limited budget cannot afford it. That is why they are going for other tools, but those tools are not that effective. Veracode is better in terms of quality. If you want good service, you have to pay for it.

I am working at a consultancy, and I did a PoC with five or six top tools in the market. I found Veracode to be the best in every aspect.

I am currently looking for some AI-powered tools. I am exploring the AI capabilities of various tools.

Overall, I would rate Veracode a nine out of ten. With AI capabilities, it would be a ten.