Veracode Reviews

We have three use cases. We have the dynamic scans that we use to scan the production, public-facing URLs. We also use the static scan where we work with the Dev team and scan the code base for the web application and the mobile application on both iOS and Android. Our third use case is manual penetration tests, which my team manages. We do annual manual penetration tests.

It's deployed to our platform infrastructure, which is in a public cloud.

We have some major clients using Veracode. It saves us time when it comes to doing annual pen tests. When we say we're using Veracode and they are also using Veracode, we don't have to run the test twice. They accept what we have because they know the framework is going to be the same.

A pen test can take a month; it really depends on the number of flaws that are found. So when we don't have to run a pen test twice it saves a lot of time. It not only saves time for my team, but for other teams as well, because when we run a third-party pen test for clients, I not only need to have my team coordinating it, but it requires documentation and it requires my technical support to be involved. So it saves a lot of time for a number of teams.

The report content is very good because the reports are structured in a way that they explain the scope of the scan and what the policy is. A report shows, right at the beginning, if we have passed the scan for the policy or not. That's very helpful when sharing that report externally. It's something that we didn't have before and having that now is extremely useful because it avoids a lot of back and forth with clients. If we share a report and there is no further explanation necessary on how the scan works and what we're doing to fix the flaws, it saves additional manual work that would otherwise be needed to update that information. With Veracode, we can do it automatically, just by pulling a report from the dashboard. In addition, whatever they have on the reports meets industry expectations.

Veracode provides visibility into application status across all testing types, including SAST, DAST, SCA, and manual penetration testing, in a centralized view. I manage the team, I'm not involved in the daily operations. But as a manager, it's extremely helpful, because I just log in to my Veracode instance and, on the homepage, it shows the status of all the scans. If I want more information about something, it's one click. From a managerial perspective, it's extremely helpful. The centralized view helps reduce risk exposure. If there is something wrong with a scan, if a scan doesn't run or a scan is not complete, I know about it from the main dashboard.

In addition, the solution integrates with developer tools. That creates more efficiency in the workflows because they don't need to duplicate work.

Overall, its ability to prevent vulnerable code from going into production is very good. We recently onboarded a new application into the static scan and we had almost 1,000 flaws in the first scan. We were able to mitigate all of them in less than three months. The result was amazing, enabling us to find everything that could potentially create a problem for us.

All of its features are valuable to us. We are ISO certified and we also do annual SOC 2 audits. We deal with personal, identifiable information and we host confidential information from our clients. Our use of Veracode is based on our clients' requirements and on ISO requirements. It is something that we have in place to comply with what is required. In that context, the manual penetration test is a requirement from all our clients and we do it once a year.

In terms of secure development, the SAST scan is very useful because we are able to identify security flaws in the code base itself, for the application. The dynamic scanning is mostly used to make sure that whatever is deployed to production is secure.

Veracode provides guidance for fixing vulnerabilities. This doesn't enable developers to write secure code from the start, but Veracode provides guidance through security consultants. We can book consultations in case developers cannot fix a specific flaw, and they guide us through the process based on the CWE.

The efficiency of the solution when it comes to creating secure software is good. For us, it works well. Their dashboard is really good, overall. In my opinion, it's one of the best in the market, and I say that because we have used other service providers.

Its policy reporting for ensuring compliance with industry standards and regulations is very helpful. We can create our own policy, based on our internal risk management guidelines, and run the scans against our own customized policy. That way we can set expectations to fix flaws based on our internal timeline, and we can issue reports based on that. We usually share those reports with clients. That's very useful.

They are also always updating the types of threats and that's very useful.

In addition, they provide analytics on how we're doing in terms of fixing flaws and mitigating issues.

All of the services that Veracode provides are necessary for the type and the level of security and confidentiality that we need.

Whenever there is a mitigation that is submitted through the platform, I'm the one who approves it. The feature that allows me to read which mitigation answer was submitted, and to approve it, requires me to use do so in different screens. That makes it a little bit more complicated because I have to read and then I have to go back and make sure it falls under the same number ID number. That part is a little bit complicated from my perspective, because that's what I use the most.

I have been using Veracode for a year.

The stability is good. We have never had problems.

We will be using more of our products in Veracode starting in January. We added one more application into the dynamic scan and we added a couple more manual penetration tests to our projects. Once you understand how it works, it's very easy to deploy to different applications.

In terms of increasing our usage of the solution, we probably won't for the next couple of years, but we never know. It really depends on the requirements that we have from clients and the requirements of the standards and the regulations. Now, we are covering most of the applications and use cases that we need. We are doing 100 percent of the code base. We are doing dynamic scans on all the URLs in production, and the manual pen tasks are also covering all the applications.

We are doubling the ACV with Veracode for 2021, and that's a lot. After that, we're going to be good for the next couple of years, unless there is something new and the Dev team needs to use some other feature that I'm not aware of at this point.

For the dynamic scans I have a couple of people from the technical support team and one person from operations. For static scans, I have my entire iOS and Android team because, depending on the type of flaw, the ticket is given to different developers. I have about 20 to 25 Veracode users.

Their technical support is usually very quick. They usually get back to us in less than 24 hours. We had a problem recently and it was the first time that we had a problem with Veracode support. We didn't get an outcome for three weeks and it created a major problem, but they usually get back to us in 24 hours.

Their Knowledge Base, their help site, is very useful. Most of the time we can find the information that we are looking for there. Sometimes we consult with their support team, but we can usually find information in their help site.

We were using WhiteHat. We switched because the dashboard was very bad and there were no analytics. The UI was also very bad, so it was not easy to manage it. Also, most of our big clients were using Veracode and asking us to migrate to Veracode. It was a combination of things.

The setup was straightforward. It takes some time in the beginning to onboard, but our onboarding process was easy from the moment that we actually connected the Dev team with Veracode. It's normal to have a certain degree of difficulty in the beginning but we didn't have any major problems.

Our deployment took between a month and 45 days.

We migrated from another vendor, so we first picked the services that we needed and the type. We started with the same scans that we had with the other vendor, and then we divided the work between the different teams. We had to have the iOS team onboard and the Android team onboard. I presented the new tool to them and created the accounts and, after that, we had parallel projects to onboard the different scans. It was definitely easier because I had different teams taking care of each one of the scans, meaning I could do everything in parallel.

For the dynamic scans we had one person involved from the technical support team. It was super-straightforward and super-easy to do. It took us a couple of hours to do it. The static scan takes a little bit more time because you have to prepare the packages. But we already had the packages ready because we migrated from another vendor. It took us some time to adjust the scans, but the actual work of uploading the packages took less than a week.

There is no direct ROI. There is a cost of security, overall. It saves a lot of time and it allows us to have the certifications and comply with the clients' requirements, but it's very hard to have a direct ROI. It's a cost for compliance and security that is worth it.

Veracode is expensive. Some of its products are expensive. I don't think it's way more expensive than its competitors. The dynamic is definitely worth it, as I think it's cheaper than the competitors. The static scan is a little bit more expensive, around 20 percent more expensive. The manual pen test is more expensive, but it is an expensive service because it's a manual pen test and we also do retests. I don't think it is way more expensive than the competitors, but it's about 15 to 20 percent more expensive.

There is also a fee for the support package, which I think is extremely expensive. We used to have the premium support and we didn't use most of it, so we're downgrading to the basic support, and even the basic support is expensive.

We evaluated BitSight. The main advantage of Veracode was the UI, the dashboard. It's very easy to use and to manage.

I can give advice to other managers. If they are willing to properly manage, but they don't have the time or the bandwidth to actually operate, it's a very good tool. It's easy to get access to information and it's easy to understand what's going on with your application without much of a burden. You don't have to waste a lot of time trying to understand a complicated report. Everything is accessible. And the amount of information that Veracode gives based on the flaws is very straightforward and makes it easy for the Dev team to fix them.

I would rate it at eight out of 10. The tool itself is a very good tool. The way they work to update the flaws and the findings is very effective. But the support is a little bit expensive and it could be a little bit better. And there are few things that could be updated in the UI, but overall it's a very good tool.

We use Veracode as part of our development pipelines. It gives us security feedback when we run our applications. Our applications are completely containerized in Docker images with a .NET 4.6 architecture. These are web-based applications, so we want to know that all the HTTP requests are secured. The tool provides us with feedback to ensure that our application security is robust. 

We are primarily running Veracode to check for vulnerabilities after the build. There is no pre-build process. We are running a post-build static analysis and dynamic analysis. We run it at the end of the development process. 

Veracode's ability to detect security vulnerabilities is excellent. We can feel confident that none of the vulnerabilities will make it into production. It doesn't take long to realize the benefits from it. The interface is intuitive. We could start to see value from Veracode within a couple of weeks. 

We don't have many false positives. We're using the tool's default rules and haven't done much customization. We can feel confident in the solution's results. 
We can identify most of the issues before the production stage, and it also enables us to develop better practices in the development process. We also have a security testing team using Veracode to discover vulnerabilities. The discovery of issues after static analysis is super-efficient. It reduces our time spent on these tasks by about 30 percent. 

Veracode has had a positive impact on our overall security posture. It's comprehensive, which is critical because our applications are mostly integrated, so we don't want to take any chances. 

One thing we like is the secret detection feature. It has helped us to discover keys stored in our settings file as a TXT document. We can address that vulnerability by using encryption. We can even scan Docker images for vulnerabilities. Static analysis is another good feature of Veracode because we can run a security scan during development to identify the vulnerabilities.

Veracode helps us prevent vulnerabilities from entering production. We can put it into the pipeline and set an acceptable limit for vulnerabilities. If the number of vulnerabilities is under the threshold, we can deploy automatically. 

Veracode's container scanning could be improved. We containerize all the platforms we use inside a Docker image. For example, we create a Microsoft Docker image that we build our application on top of. I would like Veracode to implement IT scans before we commit the code.

I have only used Veracode for a year.

Veracode is stable. 

Veracode is scalable.

I rate Veracode support eight out of 10. 

Positive

We evaluated another solution briefly but we decided to keep Veracode. Veracode has some issues with container scanning, and we have some container-based applications. We considered bringing in another tool for container scanning, but it was too expensive and Veracode was able to mitigate the issues well enough. 

Veracode is affordable. It offers a good value for the security benefits it offers, especially if you're working with applications that involve payment processing. You cannot afford to take chances there. 

I rate Veracode nine out of 10. I recommend Veracode, depending on the type of application you are scanning. It's a leading solution in this domain. Veracode is the first name that comes to mind when people are talking about security scanning. 

We are using Veracode to shift development left. Therefore, we want to train our team of third-party vendors and improve our code security.

Veracode has been effective at preventing vulnerable code from entering production. I can easily enable the support team. Additionally, the reports are free. Although we are at the beginning of our journey, I can see that Veracode is capturing vulnerabilities.

The cooperation between the security team and the development team is improving, and our security team's visibility is increasing. As a result, we are achieving better and better results, and Veracode is helping to improve our security posture.

I am using Veracode's preconfigured policies because I find them useful and complex.

I am satisfied with Veracode's visibility into application status at every phase of development.

We can see that false positives are quite low, around five to ten percent.

We can add notes to any false positives during static analysis testing so that our developers can see the notes and avoid wasting time on them.

Veracode's reporting function and executive summary help us emphasize the security of our business-critical products to our business, which also helps us get sponsorship from our management to fix flaws and move forward.

Veracode helps our developers save 10 percent of their time by identifying security flaws early in the development process. This allows us to fix the flaws before they go into production, which is more efficient and cost-effective.

Veracode has helped us improve our security posture.

The admin ID can be downloaded into Visual Studio, for example, and developers can use that directive without having to type code. I think this is the best feature of Veracode.

The integration of static testing with our Azure DevOps CI pipeline was easy.

Veracode's support could be better. It is limited and slow.

The security labs integration has room for improvement. Currently, it is not possible to see the security labs training reports on the dashboard. These reports are only available separately in the security labs platform. I think that adding the dashboards for integration would be a good area of improvement.

I have been using Veracode for almost six months.

Veracode is stable.

Veracode is easy to scale.

Technical support needs to improve its response times and the details of its responses.

Neutral

The deployment was somewhat complex because some of the documentation was outdated, which caused some problems. There was confusion about how to implement the static pipeline scan. It took some time to find the correct articles and speak with the support team to implement Veracode.

The deployment took a couple of hours and required one DevOps and one tech person.

Veracode is fairly priced.

Before selecting Veracode, we evaluated SonarQube and Codacy. We chose Veracode because of its comprehensiveness and its ability to provide us with a solution for each phase of the software development life cycle. Veracode offers both dynamic code analysis and static code analysis solutions. With Veracode, we were able to get everything we needed in one place, without having to sign contracts with multiple vendors.

I would rate Veracode eight out of ten.

We deployed Veracode in one location and have ten users.

I recommend Veracode based on the script language being used.

We use Veracode to scan our code before release. The scan ensures our projects will have no issues. We only use Veracode for customer-facing and revenue-generating web applications. 

Application security is paramount. It's essential to check any extended web applications we are using. Veracode enables us to check integrated segments that are based on other websites. We can also perform a light scan on some of the smaller customer-facing web applications.  

Veracode provides visibility into application status, but we do not use it during every development phase. We only use Veracode before the code goes into production. It improves our DevSecOps. We use an agile process, so we have less time to fix issues when we discover vulnerabilities. Veracode helps us fix many critical issues but only if it is compatible with all the technologies. 

It helps if the products you use are from preferred vendors like Salesforce. If your tools are incompatible, you might get some false positives. You can still use products that aren't from preferred vendors, but if you use tools like Salesforce, etc., it will automatically recognize and ignore these issues. It cuts down on the time we spend investigating. 

The overall false positive rate is good. It is about 70-80 percent accurate. In some stages, we have to let issues go and defer the fix until another time. We might wait to release a patch later. 

Veracode adds value when we run it in an integrated environment where all the core systems are similar to our production environment. It adds value to the developers in the final stages of testing or the QA environment. We can use it for functional or system testing. That is where it adds value for the developers by enabling them to fix many of the issues. Nothing flows into the queue box. We can say it has been effective if it's up to 70 percent, but if we consider the environmental constraints, it's around 30 to 40 percent. 

It adds daily value by improving the security posture of our customer-facing web applications. A developer could make a mistake not caught in the QA process. 

I like Veracode's ease of integration with various cloud platforms and tools. 

I'm also a cybersecurity expert. In addition to vulnerabilities, I am looking at this from a holistic cybersecurity perspective. Bringing Veracode in line with the latest vulnerabilities would add value. We see APT issues often, and some processes could be left vulnerable if our tool cannot cope with them. It would improve Veracode to bring it up to date with current threats that the cybersecurity industry highlights.

I would also like Veracode to offer training and certifications that users can do on their own time. It would encourage people to build skills that they could reuse across the board. Many other software publishers offer this. It helps build a user base and generate interest. Training is an excellent way to market your product. It would also be helpful to build a user community online to create a knowledge base of expert users who can answer questions and advise Veracode on ways to improve the product.

We been using Veracode for five or six years. 

SonarQube is another solution we've used. SonarQube has some limitations, and we feel like it isn't keeping pace with the technology landscape. We had to reconsider our tool, which led us to adopt Veracode.

We had some challenges initially, but I think that was due to a lack of training. After deployment, Veracode doesn't require much maintenance. 

Veracode's price is reasonable because of the value it offers. If you don't catch bad code before it goes into production, you have to spend money to rework it, and a security failure in your product can cost your company. We think it's worth what we pay.

It would be nice if Veracode were bundled with some preferred vendors like Salesforce and offered at a discount.

I rate Veracode a nine out of ten.

Veracode has both static application security testing as well as dynamic application security testing, also called Dynamic Analysis. Our primary use case was on the static analysis side, not on the dynamic, because we have an automated tool in the dynamic analysis scope. So our primary use was static analysis security testing.

Application security improved a lot because the teams got a list of all vulnerabilities, they analyzed them, and then they incorporated the fixes. It helped ensure that these kinds of issues would not happen when they wrote code in the future, because when the fix was applied, it was applied to all the vulnerabilities. That means our AppSec improved greatly once we started using Veracode.

It has SAST, DAST, as well as SCA—software composition analysis, which is used for finding vulnerabilities in third-party components. All these are in one tenant. Veracode provides a uniform view that enabled us to see the vulnerabilities of an application holistically. Our primary use case was the SAST. The DAST and SCA were not for our products. It definitely helped reduce risk exposure because, no matter how secure the code you write is, ultimately, you end up using third-party libraries. So finding vulnerabilities in the third-party libraries is also essential and this unified view gave us a holistic security profile of the application, rather than just our code or just the third-party code or only static or only dynamic. All these pieces are combined to give a unified view. It helped give a holistic picture of the security status of the application.

The most valuable feature, from a central tools team perspective, which is the team I am part of, being a DevSecOps person, is that it is SaaS hosted. That makes it very convenient to use. There is no initial time needed to set up an application. Scanning is a matter of minutes. You just log in, create an application profile, associate a security configuration, and that's about it. It takes 10 minutes to start. The lack of initial lead time or initial overhead to get going is the primary advantage. 

Also, because it's SaaS and hosted, we didn't have any infrastructure headache. We didn't have to think about capacity, the load, the scan times, the distribution of teams across various instances. All of this, the elasticity of it, is a major advantage.

There are two aspects to it. One is the infrastructure. The other one is the configuration. There are a lot of SaaS solutions where the infrastructure is taken care of, but the configuration of the application to start scanning takes some time to gain knowledge about it through research and study. That is not the case with Veracode. You don't have any extensive security profiles to consider. It's a two-pronged advantage.

Veracode also reports far fewer false positives with the static scanning. The scanner just goes through the code and analyzes all the security vulnerabilities. A lot of scanning tools in the market give you a lot of false positives. The false positive rate in Veracode is notably less. That was very helpful to the product teams as they could spend most of their time fixing real issues.

Veracode provides guidance for fixing vulnerabilities and that is one of their USPs—unique selling propositions. They provide security consultations, and scheduling a consultation is very easy. Once a scan is completed, anybody who has a Veracode login can just click a button and have a security consultation with Veracode. That is very unique to Veracode. I have not seen this offered in other products. Even if it is offered, it is not as seamless and it takes some time to get security advice. But with Veracode, it's very seamless and easy to make happen.

Along those lines, this guidance enables developers to write secure code from the start. One of the advantages with Veracode is its ability to integrate the scanning with the DevOps pipeline as well as into the IDEs of the developers, like Eclipse or IntelliJ or Visual Studio. This type of guidance helps developers left-shift their secure-coding practices, which really helps in writing far better secured product.

Another unique selling point of Veracode is their eLearning platform, which is available with the cloud-hosted solution. It's integrated into the same URL. Developers log into the Veracode tenant, go through the eLearning Portal, and all the courses are there. The eLearning platform is really good and has helped developers improve their application security knowledge and incorporate it in their coding practices.

One of the things that Veracode follows very clearly is the assignment of a vulnerability to the CWE standard or the OWASP standard. Every vulnerability reported is tied to an open standard. It's not something proprietary to Veracode. But it makes it easy for the engineers and developers to find more information on the particular bug. The adherence to standards helps developers learn more about issues and how to fix them.

We use the Static Analysis Pipeline Scan as part of the CI pipeline in Jenkins or TeamCity or any of the code orchestrators that use scanning as part of the pipeline. There's nothing special about the pipeline scan. It's like our regular Veracode Static Analysis Scan. It's just that if it is part of the pipeline, you are scanning more frequently and finding flaws at an earlier point in time. The time to identify vulnerabilities is quicker.

Veracode with the integrated development environments that the developers use to write code, including Microsoft Visual Studio, Eclipse, IntelliJ IDEA, etc. It also integrates with project and portfolio management tools like JIRA and Rally. That way, once vulnerabilities are reported you can actually track them by exporting them to your project management tools, your Agile tools, or your Kanban boards. The more integrations a scanning tool has, the better it is because everything has to fit into the DevOps or DevSecOps pipeline. The more integrations it has with the continuous integration tools, the IDEs, and the product management tools, the better it is. It affects the adoption. If it is a standalone system the adoption won't be great. The integration helps with adoption because you don't need to scan manually. You set it up in the pipeline once and it just keeps scanning.

When it comes to the speed of the pipeline scan, one of the things we have found with Veracode is that it's very fast with Java-based applications but a bit slow with C/C++ based applications. So we have implemented the pipeline scan only for Java-based applications not for the C/C++ applications.

For C++ based languages, or languages where there is a platform dependency—for example, if I write C language code it is dependent on whether I'm executing that on Windows, or on Linux, or another platform—and with some of these platforms-specific languages, Veracode makes something called debug symbols that are introduced into the code. That gets cumbersome. They could improve that or possibly automate. If Veracode could quickly analyze the code and make file-line flags, that would be great. It is easy to do for Java, Python, and Pearl, but not so easy for C++. So when it comes to the debug symbols, guidance or automation could be improved.

Also, scan completion, as well scanning progress, is not reported accurately. Sometimes the scan says it will complete in two to three hours but it will take four or five hours. That is one of the areas where they can give a more accurate estimate.

I used to work for CA Technologies, which was acquired by Broadcom. Back in 2017, CA Technologies acquired Veracode, and that is when I started administering Veracode. Since it was a CA product, all product teams in various business units within CA were asked to adopt Veracode for their static analysis. My team is the central tools team and had the responsibility of enabling and deploying Veracode for all the product teams. So we used Veracode starting in 2017. I used it both in a DevSecOps lead role and as a Veracode admin and security admin.

It's quite stable because everything is in the cloud. I really don't need to worry about the stability at all or the frequency of the scans. It's all taken care of by the Veracode platform.

It is scalable. We had about 500 applications, out of which 200 were being scanned regularly. It was in the AWS infrastructure and it was quite scalable. The elasticity was all taken care of. We were scanning a huge set of enterprise products.

We had roughly 2,000 Veracode users. Generally they were developers but there were QA people, as well as the program managers because they needed to add the vulnerabilities and see the health of the product. We also had security champions to advise the product teams on their scanning and vulnerabilities. In addition, general security also accessed it to provide consultation on how to fix vulnerabilities. We were able to give privileges and access control based on each individual.

We stopped our use of Veracode on November 1st, 2020, about 30 days ago. But when we were using it for the three-and-a-half years, the usage was very extensive.

The customer support was two-pronged. One was the security consultation and that was top-notch. The security support helped teams understandable the vulnerabilities 

The regular customer support for issues was quite prompt and had good SLA turnarounds.

Veracode is one of the more expensive solutions in the market, but it is worth the expense because of the eLearning and the security consultations; everything is included in the license. It's a good return on investment because it improves the application security for all the different types of scans.

It reduced the cost of AppSec for our organization because otherwise we would have had to go through multiple vendors for application security. With Veracode, one solution fit all our needs. It reduced the AppSec cost by reducing the numbers of vendors. Typically, you would have different products for different types of scanning. For static analysis you might use one tool, and for dynamic another, and for third-party software composition analysis you might use another. And after using all those tools, you might still have to consult with another vendor. Veracode combines all this into a single solution.

I would estimate that it saved us $500,000 a year.

We have been using the Synopsys tool from Coverity for our static analysis.

Veracode is superior in terms of infrastructure because it is cloud-hosted. We don't have that with Coverity on-premise. We need to take care of capacity planning, infrastructure procurement. Also, with Coverity we have to invest some time to enable various checkers. The security profile configuration takes time compared to Veracode.

Coverity, on the other hand, is more robust and it works with the C programming languages.

We use it for dynamic scanning and Static Code Analysis as well as for Software Composition Analysis (SCA).

We do use this solution's support for cloud-native applications.

We are a startup with 350 employees. The AppSec program initially was focused and aligned with regulatory audit, and compliance. However, over the past two years, we have "shifted left" : integrating AppSec early in our SDLC process. Having this tool has fast-tracked our response times in terms of scanning the code for third-party library vulnerabilities. 

The SCA, which detects vulnerabilities in third-party and open source libraries, was something new for us and is very well done. It provides guidance for fixing vulnerabilities. 

When we go from the dynamic scan to static scan to SCA, there is a huge change in the UI. This was not relayed to us when we were buying the product nor during the demo. They mentioned, "Yeah, this was an acquisition. The third-party library scanner was an acquisition from SourceClear."

You can see there is a huge difference in the user experience in terms of both the display as well as the usability of the product. That is one of our pet peeves: They are not normalizing the UI across the three product segments. We had numerous calls with them early on because we were new to the platform. The sales team is not aligned with the support team. The support team keeps telling us to use a different UI versus the one that the sales team showcased during the sales cycle.

There is much to be desired of UI and user experience. The UI is very slow. With every click, it just takes a lot of time for the pages to load. We have seen this consistently since getting this solution. The UI and UX are very disjointed. It is ironic that they claim themselves as agile AppSec tool, but their UI doesn't reflect that.

We had a couple of consulting calls, and perhaps it may be the engineers that we got, they were not really up to speed with our frameworks. They were very focused on .NET and Java, which are legacy frameworks for us. We don't use these at all in our code base. We are using the newer, modern web frameworks, like Django. They have very little coverage or knowledge base on these, especially on the mobile side.

There are a lot of faults with the Static Analysis Pipeline Scan tool. Their tool seems to be very good with legacy products, which are developed in .NET and Java frameworks, but there are false positives when it comes to using modern web frameworks, like Python and Django. The C++ code doesn't even scan. We have spent at least three weeks worth of time going back and forth because it won't support the use cases that we have.

We have been using Veracode for over a year now.

It hasn't gone down. Nobody has complained about the Pipeline Scan being broken. The couple of times that they have, it was more to do with our ineptitude than with the platform capabilities. Once we understood how the platform is working and the gotchas associated with it, we were able to have a workaround within its constraints.

For our use case, it is sufficient. It has been up and running for quite some time and we haven't had any downtime experience with it. We get proactive notifications from Veracode about any upcoming maintenance, batch schedules, and other things. They have been pretty good with that. 

There haven't been any issues with multiple users logging in and slowing it down. It has just been inherently slow. 

We clearly mentioned during our purchase cycle that we have C++ code, a Swift code from a US perspective, Python libraries, etc. We were given assurances that these were absolutely covered under the solution. However, when we started investigating through support tickets, they admitted that these were not supported. We have very limited support for C++ code scans and other things. That was a bummer from my perspective.

The support has been good. However, we work in an agile environment and our release cycles are literally every two weeks. Their response times have been very delayed, especially as we are in the Pacific Time Zone and they are in the Eastern Time Zone. 

They have a great support portal to do self-service. We have been pretty impressed with that, but we soon realized that anything you pick is 10 days to two weeks out. That has been a non-starter for us. We had to constantly escalate through our account team to get an engineer on the call, because we were in the middle of a release and needed to scan the product at the moment.

At this point, we are doing sandbox scanning. We have implemented it with our Jenkins CI/CD tool to really scan the code, upload, etc. It took awhile for us to figure it out because the support wasn't really helpful. We had to hack our way into getting through the documentation. Since the time they acquired SourceClear, they haven't really cleaned up or integrated the documentation well, and that may be one of the reasons. However, we were able to find the right combination of keys to make it work.

We were previously using WhiteHat Security. Their lack of customer service prompted us to switch. Every question that we asked was just going into a black hole. The only time that we got any response was when our account was up for renewal. We had a long discussion with them to get a rationale behind their lack of response, and that was the only time they listened. There was no follow-up. That is when we decided that this is not a partnership that we wanted to continue anymore.

Veracode has automated a lot of the manual stuff that we were doing in terms of scanning third-party libraries. With any given release, I was spending from eight to 10 hours manually scanning through all 3rd-party libraries for vulnerabilities. Now, it is all within the Pipeline. So, I am saving about 10 hours in a given month with it.

The initial setup was moderately complex. The onboarding of the tenant, single sign-on, and access control were easy, but when it came to the real work of integrating the Pipeline Scan and our ticketing system, that is broken at this point. I spend most of my time manually doing this, and if they could fix that portion, that would save me another two hours worth of my time with every release.

The deployment took two to three weeks.

Because this was a SaaS service, we just onboarded one team, then looked through some of the gotchas from login and access perspective. Once the pilot users were all cleared up for any potential issues, we then onboarded the rest of the team. We have a small team of 40 users from a development perspective.

It's pretty straightforward from an onboarding perspective because it is all SaaS. We just needed to whitelist some IPs from Veracode for scanning some of our code, which are not publicly available. Beyond that, everything was pretty straightforward.

The solution was implemented by an internal consultant and me.

The time savings has been tremendous. We saw ROI in the first six months.

It is very reasonably priced compared to what we were paying our previous vendor. For the same price, we are getting much more value and reducing our AppSec costs from 40 to 50 percent.

We bought the product for its expected benefits, in terms of all the bells and whistles that we saw during the sales cycle. When it came time to really implement it, that is where we have been having buyer's remorse.

We evaluated Micro Focus, Black Duck, SonarSource, and Coverity. We felt Micro Focus was the closest to really addressing all three of our needs, which is SAST, DAST, and the third-party software composition analysis. Micro Focus had the most complete execution from an implementation perspective, but it was very expensive for us. We went with Veracode because it was within our price point. 

We are getting huge value out of the dynamic scan and third-party library scanning. However, the initial euphoria has died down at this point, so we will be looking at additional tools to augment some of the solution's shortcomings.

It is good for third-party scanning and if your code base is all modern web frameworks. It is also great for the third-party analysis. However, the Software Composition Analysis is not good if you have C++ code or anything legacy, as it does not cover that. It also does not cover iOS code. It has a lot of constraints.

The solution’s policy reporting for ensuring compliance with industry standards and regulations is fine. We are using it for internal reporting, but we haven't really dug into the policy definitions and tweaking them. We are using its default policies.

As part of our validation and testing, we are able to catch vulnerable code early on. That has been helpful. Automating some of the process has been really helpful, at least from our team's effort perspective. The tool highlights the risk associated with vulnerabilities. That effort is very much automated with this tool.

I would rate this solution as a six out of 10. If you have legacy applications, the solution is great. Their SaaS scanning is geared towards that. If you have modern frameworks, the SaaS scanning and dynamic scanning don't provide much value. My advice to anybody looking at Veracode: Use them for third-party scanning. They are really good at that because of their SourceClear acquisition. For the rest of their products though, just keep looking.

We are a Veracode reseller and we utilize their solution for software vulnerability analysis. Our primary objective is to identify any security issues in open-source libraries that have been rejected. Additionally, we perform dynamic code scanning and employ Static Application Security Testing for comprehensive application security testing.

Veracode prevents 100 percent of vulnerable code from entering production.

Veracode has assisted our customers in deploying safely, thereby reducing both risk and hassle. Additionally, the solution has aided in reducing the costs associated with problem resolution. We noticed the benefits within the first day of using Veracode.

Veracode's policy reporting for ensuring compliance with industry standards and regulations is excellent. We only need to specify the regulation we must comply with, and the report will be generated instantly.

Veracode provides visibility into the status of applications at every phase of development. It is one comprehensive integrated system, but we can also utilize specific features like SAST if we require it.

In the absence of Veracode, the security team typically informs the developers about the policies that must be adhered to, and they enhance the code in a manner that ensures compliance. However, when Veracode is utilized, this step becomes unnecessary. Each individual focuses on their respective strengths, allowing for seamless collaboration.

We have compared Veracode with other solutions, and its false positive rate is the lowest in the industry.

Veracode's low false positive rate is key to our ability to avoid being burdened by false alerts and focus on fixing code.

Veracode's false positive rate of the static analysis has helped save us time.

Veracode helps fix flaws. Our customers have reported that it is faster and more compliant, making it easier for them to send out reports to various stakeholders when they have questions. For example, when dealing with higher-level management, we can create a report containing comprehensive statistics and informative pie charts, which greatly assists them. Additionally, this helps demonstrate the value of Veracode during internal assessments.

Veracode helps our developers save time. 

Veracode helps improve our security posture as it ensures compliance and simplifies the process.

Veracode helps our developers save costs.

Static code scanning is the most valuable feature. Moreover, Veracode integrates with various frameworks and workflow solutions.

Veracode has the capability to identify flaws in the code. I would like Veracode to also have the ability to fix these flaws in a future release.

I have been using Veracode for four years.

Veracode is an exceptionally stable solution.

We can scale Veracode from one to thousands of applications within a minute.

Veracode is used by some of our customers for individual applications, as well as by others for thousands of applications.

The technical support is great.

Positive

In addition to previously using SonarQube, we also employed several other solutions before transitioning to Veracode due to its superior reporting capabilities.

The initial setup is straightforward. The deployment time depends on the size of the built solution. If we consider a relatively modest number of apps, I would say that they can be up and running within a day or two. We first completed a good analysis of what our customer wanted and because Veracode is a cloud solution, we can have a code scan running within minutes. It is easy to integrate other frameworks and work with applications that are already integrated with Veracode. One product owner or software developer can handle the deployment.

The implementation was completed in-house.

With Veracode, the benefits are clear, and we can see a return on investment through the visibility it offers. This enables us to fix flaws sooner, thereby reducing the time to market for our customers.

Veracode provides value for the cost, with no additional charges apart from the standard licensing fee.

I would rate Veracode a perfect ten out of ten because it consistently delivers on its promises.

Those who are concerned about Veracode's price should be aware that the solution holds value. Additionally, they should consider that other solutions are on-premises and require additional fees for reporting traffic processed, unlike Veracode.

The maintenance is all taken care of by Veracode.

Veracode is so straightforward that I have no advice to offer to anyone.

There are many companies out there that do not consider code security when thinking about cybersecurity risks. This holds true even for larger companies, where it is still a greenfield situation.

We use Veracode to scan our codes for vulnerabilities and risks.

Veracodes' ability to prevent vulnerable code from entering production works very well and it can detect the type of script used.

The software bill of materials helps us understand the industry that we are in and ensures we have a stable solution.

We can easily create a report using a software bill of materials because it has good templates that we can use.

Veracode has improved our organization by allowing us to fix the flows quickly for our clients by making data coding easy.

Veracode provides visibility into all phases of development.

The visibility into our development provides confidence to our DevSecOps that they will be able to deploy on time with no errors.

The false positive rate is good but we require a lot of skills to utilize it properly.

The false positive helps our DevOps troubleshoot every stage of development and increase their efficiency which boosts their confidence.

Veracode has helped our developers save around 20 percent of their time.

It has increased our organization's ability to fix flaws. We can scan code in a video which reduces costs and risk.

Veracode has increased security in our overall security posture because it detects flaws during scans.

We have saved around $500 a month in DevOps with Veracode.

Code scanning is the most valuable feature. 

The templates allow us to create wonderful reports.

The software bill of materials feature helps our supply chain security.

The backend support team of Veracode requires improvement as they are difficult to reach when we encounter issues.

The UI is not user-friendly and can be improved.

The speed of our internet connection affects the scanning process, which may take a considerable amount of time to finish. As a result, this can lead to challenges in planning and reporting, causing confusion.

I have been using the solution for three years.

It is stable.

Veracode is scalable.

The support is slow to respond.

Neutral

The initial setup was straightforward. I deployed the solution myself within three days.

The implementation was completed in-house.

We have seen a 32 percent return on investment with Veracode.

The licensing cost for Veracode is fair.

I give the solution an eight out of ten.

Veracode is user-friendly depending on how we use it. 

We have seven people using the solution.

Veracode does not require any maintenance on our end.

Veracode is a secure, reliable, and sustainable tool that all organizations should use for scanning code.