Veracode Reviews

We primarily use Veracode for static code analysis.

Veracode detects vulnerabilities. The most essential part is Veracode's PCI compliance policies. We need to make sure our code is compliant. Veracode's policy reporting features are effective at ensuring compliance with industry standards and regulations. The policy has changed here, but that functionality works quite well. It provides visibility to application status at every development stage. 

The solution helped us find and fix flaws. It ultimately saves us some time, but we still spend a long time sorting through the false positives. Every report generates a number of issues, some of which are valid. Others are mitigated by application design or network devices. Veracode improved our security overall. There is no doubt about that. 

The CSA vulnerability scanning is useful. 

The dynamic scanning feature appears to be working, however, 90%-95% of all vulnerabilities could be easily detected by any web browser.

When it comes to dynamic scanning Veracode needs to improve its functionality.

They claim that we can do this, but it doesn't work when we're scanning the applications in real time.  

Static code analysis generates too many false positives, so it takes a lot of time to review them all. The security and development teams need to work together to mitigate the false positives. It doesn't affect the developers' confidence in the solution. It still works, but it takes time. It has a significant impact on the process. 

I have been using Veracode for five or six years.

I rate Veracode support a seven out of ten. We have weekly meetings with the support representatives to discuss any issues with the tool. It's pretty good.

Neutral

I rate Veracode a five out of ten. 

We use Veracode to scan our code before release. The scan ensures our projects will have no issues. We only use Veracode for customer-facing and revenue-generating web applications. 

Application security is paramount. It's essential to check any extended web applications we are using. Veracode enables us to check integrated segments that are based on other websites. We can also perform a light scan on some of the smaller customer-facing web applications.  

Veracode provides visibility into application status, but we do not use it during every development phase. We only use Veracode before the code goes into production. It improves our DevSecOps. We use an agile process, so we have less time to fix issues when we discover vulnerabilities. Veracode helps us fix many critical issues but only if it is compatible with all the technologies. 

It helps if the products you use are from preferred vendors like Salesforce. If your tools are incompatible, you might get some false positives. You can still use products that aren't from preferred vendors, but if you use tools like Salesforce, etc., it will automatically recognize and ignore these issues. It cuts down on the time we spend investigating. 

The overall false positive rate is good. It is about 70-80 percent accurate. In some stages, we have to let issues go and defer the fix until another time. We might wait to release a patch later. 

Veracode adds value when we run it in an integrated environment where all the core systems are similar to our production environment. It adds value to the developers in the final stages of testing or the QA environment. We can use it for functional or system testing. That is where it adds value for the developers by enabling them to fix many of the issues. Nothing flows into the queue box. We can say it has been effective if it's up to 70 percent, but if we consider the environmental constraints, it's around 30 to 40 percent. 

It adds daily value by improving the security posture of our customer-facing web applications. A developer could make a mistake not caught in the QA process. 

I like Veracode's ease of integration with various cloud platforms and tools. 

I'm also a cybersecurity expert. In addition to vulnerabilities, I am looking at this from a holistic cybersecurity perspective. Bringing Veracode in line with the latest vulnerabilities would add value. We see APT issues often, and some processes could be left vulnerable if our tool cannot cope with them. It would improve Veracode to bring it up to date with current threats that the cybersecurity industry highlights.

I would also like Veracode to offer training and certifications that users can do on their own time. It would encourage people to build skills that they could reuse across the board. Many other software publishers offer this. It helps build a user base and generate interest. Training is an excellent way to market your product. It would also be helpful to build a user community online to create a knowledge base of expert users who can answer questions and advise Veracode on ways to improve the product.

We been using Veracode for five or six years. 

SonarQube is another solution we've used. SonarQube has some limitations, and we feel like it isn't keeping pace with the technology landscape. We had to reconsider our tool, which led us to adopt Veracode.

We had some challenges initially, but I think that was due to a lack of training. After deployment, Veracode doesn't require much maintenance. 

Veracode's price is reasonable because of the value it offers. If you don't catch bad code before it goes into production, you have to spend money to rework it, and a security failure in your product can cost your company. We think it's worth what we pay.

It would be nice if Veracode were bundled with some preferred vendors like Salesforce and offered at a discount.

I rate Veracode a nine out of ten.

I'm using it to troubleshoot and know the issues in my code and resolve them as soon as possible.

Veracode helps me to understand and resolve vulnerabilities in my code. It's very good to have, and what's most interesting is that the Veracode Greenlight gives me real-time output and resolution. I can also schedule calls with the security experts for any resolution. It's good for understanding and resolving issues that my code might have.

Veracode definitely helps in creating a secure environment for both the company as well as the clients. Our clients require their data to be secure. They also require a stable solution. Veracode is helping me in developing a good product. It provides full information and also helps in a quick resolution.

Veracode is secure, and it has coding standards. It helps me in penetration testing and application security consultation. It exposes common vulnerabilities. The static scan is very good, and it gives me valuable information and a very good recommendation of how I can fix it.

We can integrate Veracode for both static and dynamic analysis to reduce the risks in the application and prevent vulnerabilities. A significant benefit is that you have a risk-free code. It minimizes the risks.

It gives visibility into the application status at every phase of development. There is Veracode Static Analysis, Dynamic Analysis, Software Composition Analysis, and Manual Penetration Test throughout SDLC.

Veracode has been very important and helpful in creating stable products because we are able to identify issues in the code and then create powerful and stable products for clients.

Veracode provides all details regarding the issues and the way to resolve them. It makes it easy for me as a developer to understand the issue in a better way. It improves a developer's confidence in the solution when fixing vulnerabilities.

Veracode has saved a lot of our time. It has saved us about 45% time.

Veracode has enhanced security. We are able to identify what is missing and what are the issues in the code. When we know that the code has an issue, we are able to make sure that we correct it. Veracode has helped us a lot in providing a stable, secure solution to our clients.

Veracode has helped us to develop faster because it's so straightforward. It has clear documentation that you can use to create a very good and stable environment for developers to collaborate and create a unique solution.

IDE Scan is the most important feature, and then you have SCA and Platform Scan.

I like the fact that it can be used at any stage of application development. I use scanning with a particular piece of code. There is an extension that helps me to create my code easily in Visual Studio and then find flaws before deploying the code. It's definitely benefiting me and the organization. It's so quick and easy to create a code and then deploy it live.

It's easy to create reports. It works very well. It's straightforward, and it does not require a lot of time. It's a straightforward platform that you can use for performing scans or mitigating issues. It has a very good user interface. FAQs are also helpful in case you are not familiar with it. It's good and straightforward when you integrate it with machine learning platforms.

It's very expensive for a small organization.

I have been using it for a year and a half.

It's a very stable solution.

It's scalable enough. Veracode is being used in the engineering department. It's being only used in one department by two people. It's a developer tool for developing solutions faster, troubleshooting, and debugging.

Their support is good because there is an option to request a consultation. If you face any issue or any difficulty with the scans or mitigation, they can help you out. The support service for me is very costly, but you also have a well-organized FAQ and a very big community for asking questions and getting a solution. I'd rate their support a 10 out of 10.

Positive

I haven't used a different solution. This is the first solution I've used.

I was involved in its deployment. It took me one week to implement Veracode. The process was straightforward. If you are lost or have any issues, you can read the documentation.

I implemented it.

It's not so huge to provide a lot of return on investment, but it's helping us to have a stable solution. It's a secure platform, but in terms of the return on investment, it hasn't made a very good impact yet. We have only seen 10% to 15% ROI.

It has reduced the cost of DevSecOps for the organization because we can use one platform to develop, troubleshoot, and debug faster, so it has helped us a lot.

It's very expensive, especially when you are a very small organization. If you're using Veracode at an individual level, for example, you're a developer or you run agents, the pricing might not affect you, but if you're using it at a company level to troubleshoot security issues, the pricing is not quite favorable. It may affect ROI.

Veracode is good. It's for organizations that want to give their customers both security and privacy. It's good in case you want to dive deep into the code and get the flaws that could be dangerous to both the organization and the customers using an application. If you are looking to create a good application that is also secure, I'd recommend Veracode.

Overall, I'd rate Veracode a 9 out of 10.

Our primary use cases are uploading and assigning scans, uploading compiled codes into the sandboxes, and searching marks to determine whether scans have been completed.

We have multiple locations, teams, and endpoints; we're a worldwide telecommunications company with over 2000 internal and external apps. Some apps communicate from the outside to the inside, but every app goes through Veracode.

We have to scan about 2000 apps, and we're already at 366 scanned within the year's first two months. Additionally, the company has been using Veracode for years; both are testaments to the solution's efficiency.

The platform provides visibility into application status at every phase of the development- Veracode Static Analysis, Dynamic Analysis, Software Composition Analysis, and Manual Penetration Testing throughout our SDLC. In terms of DevSecOps processes, the solution makes them quicker and smoother, with less confusion.   

Veracode positively affects our organization's ability to fix flaws; we have a particular app at the moment that failed the scan twice due to its vulnerabilities. Without the solution, we likely wouldn't get that.

The solution has positively affected our organization's overall security posture and will continue to improve it. 

I like the sandbox, the ability to upload compiled code, and how easy it is.

It's also straightforward to find scans we've uploaded. 

The solution's ability to prevent vulnerable code from going into production is incredible. I have done several consultations and remediation calls with the app team, and Veracode catches almost everything. It picks up the same issues in everything we scan, and we've done a lot of retests that way; the tool is very proficient in this area.  

Veracode helps our developers save time; it's a straightforward product that shows us the vulnerabilities and allows us to relay them back to the developers. This is faster and more efficient than staff going through the code manually. The solution is like having a proofreading app for our code rather than using a proofreader.  

The sandbox could use some improvement; when creating a sandbox, it requires us to put the application name in twice, which seems unnecessary.

We've been using the solution for a month and a half. 

Veracode is very stable; unlike many programs and apps, I've never had a problem with it.

The solution is scalable; we're a global telecom company, and we use it to scan every one of our over 2000 apps. 

The technical support is excellent. 

Positive

I'm unfamiliar with the solution's pricing, but it must be worth the cost from a company perspective, as we have been using it for years and have no plans to move away from it.

The product was in place long before I arrived at the company, so I don't know if they evaluated other options.

I rate the solution 10 out of 10. 

I recommend Veracode to any company looking for this type of platform. Though I need to become more familiar with competitor products, I like going into programs and clicking around. Even if I don't initially understand something within Veracode, I can keep going and make sense of it. I updated my resume to include my new experience with the solution.

Veracode reduced the cost of DevSecOps for our organization; we upload a scan, run the test, get the vulnerabilities, and set up a remediation meeting. This makes communication more manageable, and the information is more visible, as all our staff can access the scan results. In several instances, we've consulted with employees from the Veracode side, and they've been very helpful in walking our app team and testers through whatever vulnerabilities we've had issues with.  

I am a software engineer, and one of my clients needed Veracode for security requirements. We needed to send the code through some security tools to see if there are breaches or malicious code that could attack the company. In this case, the client used Veracode to scan third-party libraries from our application. Veracode was running on a private cloud using Azure. 

Veracode helped us prevent possible security breaches. The team can anticipate and correct issues earlier instead of waiting for someone to find the issue or discover it when your application is attacked. 

The report is good because it has lots of security information. It isn't related to the code itself, like the line of the code or the connected library that contains an issue. It's sometimes difficult to figure out how to solve that.

Veracode saves time in the development process because we can anticipate security issues in an application. On the other hand, from a software development perspective, it could be a technical increase in depth. After we develop a feature in the application and run Veracode, we might find some security issues we need to fix. 

For example, we spent a month building a feature on an application, but during this month, Veracode found a security issue in the third-party library we were using and reported it. If we had found the issue mid-development, we would need to rebuild the solution. Sometimes, it might increase the technical depth of the application because this type of security flaw was not found previously in our daily work. 

Veracode creates a list of issues. You can go through them one by one and click through to a new window with all the information about the issue discovered.

We waste a lot of time figuring out which results are false positives, and it has affected our trust in the tool. After we've spent time training and setting up the tool correctly, we need to scan our code and remove all the false positives. Finally, it's good enough to identify our security issues.

We get some false positives with JavaScript languages like React, TypeScript, and Angular. The problem is rooted in the build process of JavaScript, not the code we are using. This is something we spend lots of time trying to resolve. When we point to a specific library and review that on the code, we can see it is a part of the build that isn't going into production. It's only a part of the build because JavaScript has a different build process. 

This hasn't happened in .NET or C# because we use can all the libraries used when coding. In JavaScript, it's tough, and we spend tons of time trying to find the issue. However, it's not a problem because it's a pre-compiled language. This isn't unique to Veracode. Black Duck does the same thing.

Maybe Veracode could automatically detect the language type first and improve the way it scans JavaScript to reduce the false positive rate for this specific language. Also, in the reporting area, it could connect to the source code Veracode uses for the third-party library.

When Veracode finds security issues, it creates a report with the number and description of the issues. Sometimes, we are not able to connect that issue with the third-party library containing the code and applications the developers are building. The relationship between the flaw in the code and the third-party library could be more apparent because developers may not realize that the root cause is the library, not the code itself. 

The compliance features are good, but it's pretty picky in terms of what it considers a security issue. I and the other developers struggle to understand what is flagged as a security vulnerability. If you can see a security issue in there, you can see all the documentation, but it's difficult to relate that to the code to determine why the issue happened. It could be clearer how to find the issue in the structure of the code. 

I'm not using Veracode anymore, but I used it for eight months in the last year. 

Veracode is stable overall. When we start the process on the Veracode side, the report generates in less than a minute, and we can see the issues. I don't have any problems with stability.

I used a tool called Black Duck when I worked for another company two years ago. The client chose to use Veracode. It wasn't my option. 

We put Veracode in our pipeline, so the process runs automatically during development. It isn't something we can run manually. There are scripts that run when we start. There isn't any maintenance on the developer side. A designated team takes care of all this.

I don't think we've seen a return on this, but it's hard to calculate because you have to estimate the value of a breach that hasn't happened. This is the main benefit of using this tool. I don't know how to measure that.

I rate Veracode eight out of 10. It can help you improve your security by identifying and preventing issues faster. At the same time, you should know that using Veracode will lengthen the development process because the team needs to check and correct issues. It could increase your development costs. 

Using Veracode has challenged us to be more conscious of security. Sometimes, developers just want to build code. This tool allows you to check if the code or libraries are secure enough to add. 

The most valuable features of Veracode Static Analysis are its ability to work with GitLab and GitHub so that you can do the reviews and force the code.

I have been using Veracode Static Analysis for approximately five years.

The stability of Veracode Static Analysis is good.

I rate the stability of Veracode Static Analysis a nine out of ten.

We have approximately 900 people using the solution.

The solution is scalable, but there is a high cost attached to it.

I use SonarQube with Veracode Static Analysis.

The initial setup of Veracode Static Analysis was reasonably quick.

We did the deployment of the solution in-house.

The price of Veracode Static Analysis could improve.

Sometimes the model that Veracode pushes forward for you to use isn't beneficial. I advise companies to use SonarQube and Veracode together because we use SonarQube for all the individual developers to scan and do their checks and tasks before they do a full peer review to make sure that they have it clean and it's understood. We then use Veracode Static Analysis for repository control because you need fewer licenses. Veracode Static Analysis is expensive and this is why we split the two solutions.

There are extra costs per developer and it can get expensive quickly. They charge approximately $25 a month for each developer that uses it.

I rate the price of Veracode Static Analysis an eight out of ten.

I would advise people to use Veracode Static Analysis in the final levels of deployment. For example, when you used another tooling, such as SonarQube to do the initial tasks with the developers, then for peer reviews it is best to use Veracode Static Analysis for making sure that your repositories are controlled and managed properly.

I would always advise people to deploy at least two tools, one at a lower level to do the peer-to-peer that is cheaper, such as SonarQube because close to being free. Then use something, such as Veracode for the repository control and the management control of your data cubes.

No solution is a hundred percent perfect. I wouldn't rate any solution a 10 because they've all got faults. SonarQube might pick something up that Veracode Static Analysis doesn't and vice versa.

I rate Veracode Static Analysis a seven out of ten.

We use Veracode Static Analysis in the IDE for our engineers to be able to catch security issues while they're coding. Additionally, we use it for the Veracode verified program to show that we're scanning and compliant, and we get the third-party seal of approval.

It's a scanning security, static analysis code scanning software.

Veracode Static Analysis has benefited our company because we are catching potential security issues earlier in the pipeline. Before anything goes to human code review, Veracode Static Analysis catches issues as the engineer is working in their IDE.

The most valuable feature of Veracode Static Analysis is the scanning.

Veracode Static Analysis can improve the false positive. There are always improvements that can be done to the false positive rate. There are some things that get flagged that are not an issue. However, it is not a huge concern.

I have been using Veracode Static Analysis for approximately 18 months.

Veracode Static Analysis is stable.

We have got 5 million lines of code and it hasn't choked at all but seems to run just fine.

We have approximately 40 users and most of those are frontline engineers. Additionally, we have security officers who use it to run reports and team leads that use it for training. We plan to increase our usage when we have new deployments.

I rate the scalability of Veracode Static Analysis a ten out of ten.

I have not used the support from Veracode Static Analysis.

We used HCL AppScan prior to Veracode Static Analysis.

The deployment can be done in approximately 10 minutes. We use Bitbucket Pipelines and Veracode Static Analysis is integrated into our deployment pipelines.

I rate the initial setup of Veracode Static Analysis an eight out of ten.

We did the deployment of the solution in-house. We typically can do the deployments with one person.

I cannot say we have had a return on investment because we haven't had any security incidents, but we didn't have any before using Veracode Static Analysis either.

The price of Veracode Static Analysis is expensive. There is an annual fee to use the solution and the company is upfront with the pricing model and fees.

I rate the price of Veracode Static Analysis a three out of ten.

We evaluated Checkmarx and Synopsys before choosing Veracode Static Analysis.

My advice to others is if they use Veracode Static Analysis they are using a very solid solution. You get what you pay for. It's an expensive solution, but it's very good. You're going to save a lot of time and a lot of headaches with fewer false positives, but you're going to pay for it. It's good if you want to automate something into your pipeline and it's going to run fast and give you good results. I would choose Veracode Static Analysis, but be cognizant of the cost.

I rate Veracode Static Analysis an eight out of ten.

Every build running CI/CD on our applications, like Bamboo or Azure DevOps, will be scanned through Veracode SCA first. If its report for the build has a vulnerability or redundancy that is outdated or vulnerable, then that is our use case for our application. We have a lot of applications that need to automate these things, then get the report to the application team. Therefore, the security team needs to check these one by one.

We have a lot of people using Veracode, like the security team and DevOp. Also, the application team checks the Veracode result and updates it necessarily. Since it is integrated into our applications, there are a lot of users.

Our deployment model is on-prem. We deploy it as a JAR file inside our Cloud CMS.

We are using it to fix flaws in the code. Sometimes, we have reports that need to be checked. If it is a false positive, then we need to submit the false positive. However, if it is positive, then we need to fix it and perform a new scan to make sure the vulnerability has been fixed on the latest report.

After scanning, we receive report slides from Veracode. Their reports can help us to see the CVEs that we haven't even heard of and best practices that we can do, e.g., using logging properly, which is helpful. It helps us 50% of the time.

It has increased our security productivity by approximately 30%. It has reduced our development productivity by a bit less, since it sometimes breaks a lot of modules.

Veracode SCA helps us know about vulnerabilities before they go into our environment. This is one of its best benefits.

The most valuable feature is the security and vulnerability part of the solution. It shows medium to high vulnerabilities so we can find them, then upgrade our model before it is too late. It is useful because it automates security. Also, it makes things more efficient. So, there is no need for the security team to scan every time. The application team can update it whenever possible in development. Because we are using the Azure methodology, this helps us make sure that the application team can do it using the proper Azure method. For example, when we are using scrum, the application team can improve this Veracode scan on this scrum methodology. Therefore, if they were going to create a pull request, it would be detected. It would be scanned first before it goes to production or another environment, then they can fix it so we can do development more rapidly.

Our fix rate has increased by 15%. We know that we can update something now or put it in our roadmap to update later on in our application.

The mitigation recommendations are sometimes helpful. Sometimes, they are outdated. Sometimes, there are a lot of false positives inside Veracode. That is something that I already suggested to the Veracode team.

It could have better integration with our pipeline. If we could have better integration with our application pipeline, e.g., Jira, Bamboo, or Azure DevOps, then that will be very helpful. Right now, it is quite hard to integrate the solution into our existing pipeline.

If it has better integration with our DevOps pipeline, then we would use it more. However, at the moment, if the solution can be used for a new project, then we can integrate it. However, if that takes too long, we will integrate other things that are faster.

We have been using the solution for two years and a few months.

The biggest problem is with the false positives. However, it is quite stable for scanning compared to some other applications. That is why we are still using it.

At the moment, it is hard to implement on our pipeline. Therefore, we need better scalability, as it is quite hard to scale it to bigger projects because then the scanning will take a lot more time.

Their technical support is helpful. If we send a message to them, then they respond within the SLA. I would rate the customer service as eight out of 10.

Positive

While Veracode SCA may take some time to scan, it helps to reduce the number of scans that we need to do. Before, we needed to scan manually multiple times. Whereas, with SCA, we can just check one by one, then send it as a batch and scan it again. We used to scan 10 times or so. With this automated system, we now scan on average five or six times.

I know how hard it was for our DevOps to set it up.

The deployment process is different for each application. There are a lot of different things that we need to set for this solution. If we have a standardized system, not only using JAR but also other things, then that would be very helpful and make it easier for us to integrate. Currently, there is a lot of preparation that goes into setting up Veracode for integration with our existing applications.

Depending on the pipeline, it takes about five working days to deploy.

On our team, the solution has been very helpful. For more than two years, it has helped us get a lot of things on our application. It is easier for us to do fixes instead of just doing a pen test every time, then getting everyone to check it. 

It has good, fair licensing. If the price could depend on the scope of its scanning or the languages supported, then that would be better.

It is quite important to have fixed or static costs because it is easier for our financing.

Compared to other solutions, Veracode is more expensive but offers a lot for free.

We also evaluated SonarQube and Snyk in PoCs. We thought SonarQube and Veracode were good. 

We went with Veracode because its processes are very detailed and it supports a lot of languages. Though, compared to other solutions, it is difficult to integrate into the pipeline and can improve on its false positives.

Try all of the features. Make sure that you use the Veracode SCA with different languages since we can see differences between scanning Java, Node.js, or PHP.

For our site, we only use SAST and DAST for penetration testing. Also, the penetration testing for SCA is handled by another vendor since we have a different vendor for this usage. 

It helps indirectly with Webex.

I would rate the solution as eight out of 10.