Veracode Reviews

I helped customers to build and start the journey of SecOps with Veracode.

Veracode helps to know and prevent vulnerable code or applications from being deployed. We can scan, consume reports, and fix vulnerabilities before deploying an application.

It is very good for ensuring compliance with industry standards and regulations. We can have many dashboards and reports related to policy management.

Veracode provides visibility into application status at every phase of development. We can have many analytics dashboards and reports, and we can build a custom dashboard to have this visibility. This visibility is essential for DevSecOps processes. We need this visibility and information to have a strategic approach and mature our security.

Veracode has the lowest false positive rate in the market. Its results are accurate. In some cases, it is very difficult to see a false positive. We report it to the engineers, and they analyze it. If it is truly a false positive, the engineers will update the engine to provide better results at the next scan. The false positive rate of the static analysis has not affected the time we spend on tuning policies.

It has had a very good effect on our organization’s ability to fix flaws. We are developing a new feature, and Veracode will help to quickly fix any flaws.

It has helped our developers save time, but I do not have the metrics.

All features are valuable. I especially like SAST and ADO.

It is scalable and quick to deploy into the site and the pipelines. The reports and analytics are good, and the false positive rate is low. It gives true results.

There should be more APIs, especially in SCA, to get some results or automate some things.

I have been using this solution for almost three years.

It is very stable.

It is very scalable. I help other companies to deploy. Some of them are small, and some of them are big.

Their support is good. I would rate them a nine out of ten.

Positive

I have not used any other solution previously. I have only worked with Veracode.

It is a SaaS solution. Its initial setup is straightforward. I started with the most critical applications and automated the scanners inside the pipeline. After getting the results, I aligned the security policies. I prioritized the most critical vulnerabilities and assigned these reports to different groups and teams. I also integrated the other plugins into the IDE.

I implemented it myself. I work with DevOps and security teams. In some cases, I also work with developers.

It does not require any maintenance. Because it is a SaaS solution, the maintenance is provided by them.

The ROI is in terms of time savings and mature security. When you deploy a solution like Veracode, you can have these quickly.

It reduces the cost of DevSecOps for the organization when you use it for more than one year.

Its pricing is fair.

It is essential and perfect for preventing vulnerable code from going into production. Nowadays, it is very important and sensible to have a solution like Veracode to know all the vulnerabilities and manage and prioritize the ones that are more critical and better for security posture.

I have not used the Software Bill of Materials (SBOM) feature much, but it is easy to create a report using the SBOM feature. It is important for the supply chain that your software uses.

I would rate Veracode a nine out of ten.

The main purpose of Veracode is to deliver secure code on time. We use it to test our application security, at the implementation stage to make sure that code is secure. We do static and dynamic testing, as well as penetration testing with Veracode. We also use it for security threat detection for our enterprise applications.

It empowers our developers to fix security issues and achieve desired outcomes. It's a very secure cloud platform and helps us monitor our web sources for any attack. We have been able to completely secure our enterprise software, which is on the cloud, with the solution. Overall, we have been able to reduce the risk factors for our enterprise software. Also, determining security threats to our application happens faster now with the help of Veracode. The benchmarking capabilities against industry standards and the compliance help us a lot.

Veracode also provides a lot of programming language support and different frameworks are available, which enables us to get things into production much more efficiently. Our SDLC has become much smoother and more secure with Veracode.

And it has definitely helped our developers save time. It helps them with future references because, if they write code one time with errors that Veracode finds, the next time they use that as a reference and don't repeat the mistake. In that way, in the continuous development process, a lot of time is saved. It saves us about 20 percent of our time.

We are able to create more applications now, and code more, while worrying less about errors while coding. Worrying about fixing the flaws in an application is completely taken care of by Veracode, so we are able to focus more on creating new code and developing new applications. Veracode has been a great platform for that particular purpose.

We have also found more security vulnerabilities in our code, which has helped us produce much better applications for our end-users. Most of the time, vulnerabilities go unnoticed by humans. Veracode helps us pinpoint the exact vulnerability, what it affects, and it helps us correct it for future reference.

One cool feature is the static code scan, which is very good. 

Also, the dashboards and the threat insights it provides are very good. The dashboards are intuitive and pretty straightforward, but also pretty detailed.

We get good, actionable insights at each stage, including static, dynamic, and penetration analysis, and it reduces overhead for us. 

It also has compliance monitoring and reporting capabilities that I like very much. The compliance reporting is a great feature because there are a lot of different frameworks and channels, and each unique channel has its individual compliance monitoring and policies. Veracode helps us prepare for all the different challenges.

The false positive rate is a gray area. The number of false positives could be reduced a lot. For each good result, we are getting somewhere around 15 to 20 false positives. We expect false positives, but if that ratio could be reduced to a single-digit number for the false positives, that would be much more helpful.

We are spending some manual effort and time on this because it happens sometimes, when we first scan code, that it says there is no threat. And the second time we scan it, it says there is a threat. Those kinds of positive responses make us do double work. If that was better, it would greatly improve our overall efficiency.

Apart from the false positives, I would like to see more plugins and integrations to make Veracode much more user-friendly for developers and users. Any IDE plugins would make our work faster.

My experience with Veracode has been over 12 to 14 months.

Overall, because it is a cloud platform, stability is not a concern. It's quite stable. To be strict about things, the UI can be very slow. There is downtime now then, and I understand why it happens, but I would appreciate it if that happened less.

We are not going to scale it right now. We have about 18 developers and five or six administrators using the solution, and I don't expect that will change for now. But you can purchase more licenses. It's definitely scalable in that sense.

We have it in a single location only and it is used across three or four development teams in our office.

Veracode support is very knowledgeable and very prompt. The Veracode community is also available, which is very good.

Positive

It's only deployed on the cloud. Although I was not a part of the initial deployment, I know for a fact that the deployment can take a long time.

As for maintenance, there are software updates, but apart from downloading the software updates, there isn't any other maintenance required on our side. It's a cloud platform so it self-maintains.

Our ROI is that we have seen a tremendous increase in the overall security of our enterprise software. It has helped us engage better with our clients and our retention rate has increased about 7 percent. We can't pinpoint that directly to using Veracode, but since we started using it we have seen this retention increase.

The pricing is fair. We are planning to renew for the next year.

It's definitely value for money. I would tell someone who is looking at Veracode not to be concerned about the pricing because the value that they will get, for this price, in the market, is very good when it comes to their long-term plans.

If a proof of concept is possible, I would ask you to try it out first to get a sense of what Veracode is before investing. But investing in this tool is very much needed. With security threats, for long-term purposes, the code-level threat detection and code-level error detection are very much needed by any organization.

We are a Veracode reseller and we utilize their solution for software vulnerability analysis. Our primary objective is to identify any security issues in open-source libraries that have been rejected. Additionally, we perform dynamic code scanning and employ Static Application Security Testing for comprehensive application security testing.

Veracode prevents 100 percent of vulnerable code from entering production.

Veracode has assisted our customers in deploying safely, thereby reducing both risk and hassle. Additionally, the solution has aided in reducing the costs associated with problem resolution. We noticed the benefits within the first day of using Veracode.

Veracode's policy reporting for ensuring compliance with industry standards and regulations is excellent. We only need to specify the regulation we must comply with, and the report will be generated instantly.

Veracode provides visibility into the status of applications at every phase of development. It is one comprehensive integrated system, but we can also utilize specific features like SAST if we require it.

In the absence of Veracode, the security team typically informs the developers about the policies that must be adhered to, and they enhance the code in a manner that ensures compliance. However, when Veracode is utilized, this step becomes unnecessary. Each individual focuses on their respective strengths, allowing for seamless collaboration.

We have compared Veracode with other solutions, and its false positive rate is the lowest in the industry.

Veracode's low false positive rate is key to our ability to avoid being burdened by false alerts and focus on fixing code.

Veracode's false positive rate of the static analysis has helped save us time.

Veracode helps fix flaws. Our customers have reported that it is faster and more compliant, making it easier for them to send out reports to various stakeholders when they have questions. For example, when dealing with higher-level management, we can create a report containing comprehensive statistics and informative pie charts, which greatly assists them. Additionally, this helps demonstrate the value of Veracode during internal assessments.

Veracode helps our developers save time. 

Veracode helps improve our security posture as it ensures compliance and simplifies the process.

Veracode helps our developers save costs.

Static code scanning is the most valuable feature. Moreover, Veracode integrates with various frameworks and workflow solutions.

Veracode has the capability to identify flaws in the code. I would like Veracode to also have the ability to fix these flaws in a future release.

I have been using Veracode for four years.

Veracode is an exceptionally stable solution.

We can scale Veracode from one to thousands of applications within a minute.

Veracode is used by some of our customers for individual applications, as well as by others for thousands of applications.

The technical support is great.

Positive

In addition to previously using SonarQube, we also employed several other solutions before transitioning to Veracode due to its superior reporting capabilities.

The initial setup is straightforward. The deployment time depends on the size of the built solution. If we consider a relatively modest number of apps, I would say that they can be up and running within a day or two. We first completed a good analysis of what our customer wanted and because Veracode is a cloud solution, we can have a code scan running within minutes. It is easy to integrate other frameworks and work with applications that are already integrated with Veracode. One product owner or software developer can handle the deployment.

The implementation was completed in-house.

With Veracode, the benefits are clear, and we can see a return on investment through the visibility it offers. This enables us to fix flaws sooner, thereby reducing the time to market for our customers.

Veracode provides value for the cost, with no additional charges apart from the standard licensing fee.

I would rate Veracode a perfect ten out of ten because it consistently delivers on its promises.

Those who are concerned about Veracode's price should be aware that the solution holds value. Additionally, they should consider that other solutions are on-premises and require additional fees for reporting traffic processed, unlike Veracode.

The maintenance is all taken care of by Veracode.

Veracode is so straightforward that I have no advice to offer to anyone.

There are many companies out there that do not consider code security when thinking about cybersecurity risks. This holds true even for larger companies, where it is still a greenfield situation.

I currently work for a Veracode distributor here in Brazil. I work in both presales and post-sales, and I do implementations as well.

We talk a lot about shift-left and this is very important because, when you find problems near the beginning of the process, it costs less to resolve them. In addition, Veracode provides information on how to handle issues and that saves time for the developers. It's also good for a company's image because the problems are found before deployment to production. 

When it comes to developer confidence, the low false-positive rate is very important. If they use a tool with a lot of false positives, they won't believe the reports they get. And that's important because if the teams don't like a tool, they won't use it. Also, we don't have a tool in Veracode for tuning policies because it is an automated process. In most cases, we don't have many problems that require tuning. We just review the model and usually find it's fine.

To me, the principal feature is the CLI (command-line interface) because I put together a lot of implementations using it. Another important aspect is the low false-positive rate because the solution is very configurable. It is as low as 1 percent and that is a huge difference compared to competitors.

And Veracode's ability to prevent vulnerable code from going into production is the main selling point that we talk about with our customers. It is one of the most important features. 

I have also used the Software Bill of Materials (SBOM) feature in some implementations. It's important because in modern software development, people always use third-party components but they don't necessarily see the problems that they may contain. If you don't use the SBOM tool, you won't know the status of all these third-party pieces. And it's very easy to create a report using this feature because it is made in the Veracode portal with a graphical interface or, in the CLI, it's just one line of code.

Another important factor is the policy reporting for ensuring compliance with industry standards. We generally work with big companies in Brazil and, for them, maintaining the required standards is imperative. The policies can help achieve those standards.

We can also involve Veracode at every stage of the development process. It has a lot of tools to help with security.

Veracode has a new tool to automate the fixing of flaws, but we don't use it. Generally, the orientation that Veracode provides for resolving problems is good and developers can use it to handle the problems and make things work.

In the last month or so, I had a problem with the APIs when doing some implementations. The Veracode support team could be more specific and give me more examples. They shouldn't just copy the URL for a doc and send it to me. I am a distributor and a Veracode solutions expert, so if I create a ticket that means I have read the documentation. It would be better if they sent me more examples instead.

I have been using Veracode for two and a half years.

It has great stability. It uses AWS and I don't recall any downtime.

The license provides for scalability, so it's just a matter of connecting more users. We don't need to think about it, which is good.

Veracode is a SaaS solution. We just connect it to the customer's environment. It's very simple. We have plugins for the most popular CI/CD tools and, for other tools, it's one or two lines of code to implement. Generally, we just need one person who has edit access to the pipeline. So one or two people are sufficient to implement it.

There is no maintenance of the solution because it's SaaS.

The commercial guys take care of the pricing, it's not something I'm involved in. But the licensing is simple. The SAST product has some rules that some customers have found a little confusing, but overall, the licensing is simple. 

The impact that Veracode has on security posture depends on the size of the company. Usually, large companies have standards in place, and that makes code development more secure than it is in small companies. For small companies, Veracode can really make a huge improvement to the SDLC.

I use Veracode to prevent vulnerable code from going into my application.

The major improvement is that we have secure platforms, free from vulnerable code, so I'm very pleased. It's definitely a helpful solution. It helps me to minimize risks. We know that things are very secure and cannot be hacked because we have taken out the vulnerable code. Overall, the effect is that we are very secure and very reliable for our clients.

And Veracode has improved efficiency and the quality of work in our organization. It gives our developers the confidence to develop faster, saving a lot of time. It saves them around 30 percent of their time.

And the false positive rate is very impressive. It saves us a lot of time, about 20 percent, on tuning policies.

We also know that we are compliant in our industry.

The static scanning and the analytics are ideal for me. The static analysis gives you deep insights into problems.

And creating a report is easy.

They need to have a plug-in, a better integration with the development environment. 

I have three years of experience with Veracode.

It is a stable product.

It is scalable enough.

The setup is very simple. I deployed it alone and it took me five hours.

And it doesn't require any maintenance.

I have seen a return on investment of about 50 percent. It has reduced the number of DevOps that we need, saving us about $800 per month.

The pricing is fair. You get a lot out of the product. If you're concerned about the pricing, I will show you how it is cheap.

I would recommend using Veracode to help you understand your software and remove vulnerable code.

We use Veracode to scan our products for code security. Our company also uses Veracode's data security module.

Veracode enables us to build a strong data security layer in our platforms. We can increase customer confidence in data security. Some PCI/HIPAA compliance issues were impossible to resolve without Veracode. I rate Veracode's compliance features a nine out of ten because it provides detailed reports after each scan about potential regulatory violations. 

The solution's static analysis streamlined our DevSecOps process, which previously involved a lot of manual work to trace code vulnerabilities. Veracode reduced our DevSecOps team's time on these tasks by around 20 to 30 percent while drastically improving code quality. 

In the past, we also performed a scan using third-party vendor partners that took days to complete. Veracode conducts a quick dynamic scan each time a new iteration of code is built and deployed into the environment. It gives us an immediate result. We can deploy our products much faster, and there are no delays or surprises after the product is built. We aren't wasting time from development to deployment.

Our overall security posture improved, but we've only been using Veracode in production for less than two months. We expect a massive improvement in the next six to eight months.

The false positive rate is typically less than five percent. False positives can affect how developers use a solution. If we see too many false positives, we might start ignoring alerts. Sometimes the developers lose confidence and may take the work lightly. It isn't an issue currently because the rate is under five percent. 

Dynamic scanning is the most useful feature.

Veracode's ease of use could be improved. I would also like to see more online videos and tutorials that could help us understand the product better. It would also be helpful if Veracode created a certification program for DevSecOps staff to learn about their product and get certified. This kind of training would raise the company's profile within the industry. 

We have used Veracode for about three months. We did a proof of concept for one month, and it has been in production for two. 

I rate Veracode a ten out of ten for stability. We haven't had any issues.

Veracode is scalable, but we haven't scaled it up. However, I expect it will work well when we do.

I rate Veracode support a nine out of ten. Their support system is excellent and highly engaged.

Positive

We tried some Indian solutions and used third-party scans for static analysis, but Veracode is the first time we have fully integrated an enterprise code security solution.

Veracode is a SaaS solution. Setting it up isn't simple, but it isn't too complex. We deployed Veracode with a three-person in-house team. Veracode requires a decent amount of maintenance. You must perform periodic validation checks on how the engine is performing. 

You have to compare the price to the potential cost of data security threats, which could devastate your reputation and revenue overall. We do not doubt that the investment is worth it. It's too early to calculate an ROI, but we anticipate a reduction in overall DevSecOps costs. 

Veracode is priced competitively for our market. 

We evaluated a few other vendor partners and decided to go with Veracode because of the various features they offered.

I rate Veracode a nine out of ten. If you plan to implement Veracode, your DevSecOps should adopt modularized-based code segregation for better visibility into how this ecosystem works. It's crucial to be clear about the solutions you are procuring. There are multiple options, and not everything will work for you. Understanding your requirements, what your customer needs, and what will work best for your product is essential. Purchase the solution most suitable for your product and your company. 

You should also maximize Veracode's benefit by working closely with the tech support team. We don't use many of the features we have procured. Setting up an ongoing review mechanism with Veracode technical support is critical to better understand the product and ensure you get the maximum return for your investment. These are some points that company leaders need to discuss with their DevSecOps and DevOps teams.

We are a relatively young company that started about a decade ago. The company adopted Veracode about five years ago because it's a market leader in that segment. 

Veracode checks for security flaws in our code. We provide software for companies in the financial sector, so it's critical that we use Veracode. There are some lesser-known competitors, but Veracode is the biggest player in security software. In a way, it's good marketing to use Veracode.

We are running it locally, but we plan to move to the cloud in the next few months. We're a small company with 20 employees. Our development team deals primarily with it, and some other support guys are involved occasionally. 

We have been using Veracode for several years. It has become a crucial tool for preventing security flaws in our applications. The quality of our software has improved significantly since we started using Veracode. We have a software development shop and also provide solutions for other companies. It's critical to have our software checked by Veracode.

Our code must be free of security flaws, especially high-level ones. Our software must be above a minimum threshold. Veracode has enabled us to see the quality of our code security. We need at least an 80 percent score. We are sure that our code is high-quality and that our clients won't see security vulnerabilities in the code when we ship it to them.

Veracode covers every phase of development. We mainly use it for static analysis and recently started using it for software composition analysis.

The false positive rate is around 10 percent, which is expected in automated software. Veracode's competitors have false positives, but we're happy with Veracode's ability to mitigate the problem. We check every false positive and clear it. It does not affect our competence at all. We realize it will happen from time to time. The effect of false positives is negligible. We don't have a problem with that. We are experienced enough now to see what is or isn't. 

I like Veracode's integration with our CI/CD. It automatically scans our code when we do the build. It can also detect any security flaws in our third-party libraries. Veracode is good at pinpointing the sections of code that have vulnerabilities. 

We are testing Veracode's software composition analysis, but we're having trouble integrating it with SVN. It works out of the box when you use Git but doesn't work as well with other tools like SVN. It's more geared toward Git.

I have been using Veracode for two years in my current role.

Veracode's stability is decent. That was only one instance where it identified a security flaw but didn't detect it afterward. Otherwise, it's mostly consistent.

We use it on a couple of different projects, and we plan to move to the cloud. They have a cloud option that makes it scalable.

I rate Veracode support nine out of 10 in its current state, but given our problems in the past, I might rate it seven overall. We had some problems when I joined. They put in a lot of effort, but it took them a couple of months to get it right. They did their best to resolve it, so I appreciate that, but we weren't happy it took so long.

Positive

We don't see a direct return from using Veracode, but it ensures we deliver a product without security faults. It has also reduced our development costs, but it's difficult to quantify that. By having the code tested before we ship it to clients, we ensure our clients don't have issues with the security of our software. 

The price is reasonable and affordable for a small company like ours. Veracode provides a lot of features. You can purchase some additional tools. For example, we are currently testing software composition analysis. We discussed adding that to our standard package.  

I rate Veracode eight out of 10. I recommend first testing it on your code to see if it's appropriate. You need to see how long it takes to scan the code. 

We primarily use Veracode for static code analysis.

Veracode detects vulnerabilities. The most essential part is Veracode's PCI compliance policies. We need to make sure our code is compliant. Veracode's policy reporting features are effective at ensuring compliance with industry standards and regulations. The policy has changed here, but that functionality works quite well. It provides visibility to application status at every development stage. 

The solution helped us find and fix flaws. It ultimately saves us some time, but we still spend a long time sorting through the false positives. Every report generates a number of issues, some of which are valid. Others are mitigated by application design or network devices. Veracode improved our security overall. There is no doubt about that. 

The CSA vulnerability scanning is useful. 

The dynamic scanning feature appears to be working, however, 90%-95% of all vulnerabilities could be easily detected by any web browser.

When it comes to dynamic scanning Veracode needs to improve its functionality.

They claim that we can do this, but it doesn't work when we're scanning the applications in real time.  

Static code analysis generates too many false positives, so it takes a lot of time to review them all. The security and development teams need to work together to mitigate the false positives. It doesn't affect the developers' confidence in the solution. It still works, but it takes time. It has a significant impact on the process. 

I have been using Veracode for five or six years.

I rate Veracode support a seven out of ten. We have weekly meetings with the support representatives to discuss any issues with the tool. It's pretty good.

Neutral

I rate Veracode a five out of ten.