Veracode Reviews

We use Veracode Static Analysis in the IDE for our engineers to be able to catch security issues while they're coding. Additionally, we use it for the Veracode verified program to show that we're scanning and compliant, and we get the third-party seal of approval.

It's a scanning security, static analysis code scanning software.

Veracode Static Analysis has benefited our company because we are catching potential security issues earlier in the pipeline. Before anything goes to human code review, Veracode Static Analysis catches issues as the engineer is working in their IDE.

The most valuable feature of Veracode Static Analysis is the scanning.

Veracode Static Analysis can improve the false positive. There are always improvements that can be done to the false positive rate. There are some things that get flagged that are not an issue. However, it is not a huge concern.

I have been using Veracode Static Analysis for approximately 18 months.

Veracode Static Analysis is stable.

We have got 5 million lines of code and it hasn't choked at all but seems to run just fine.

We have approximately 40 users and most of those are frontline engineers. Additionally, we have security officers who use it to run reports and team leads that use it for training. We plan to increase our usage when we have new deployments.

I rate the scalability of Veracode Static Analysis a ten out of ten.

I have not used the support from Veracode Static Analysis.

We used HCL AppScan prior to Veracode Static Analysis.

The deployment can be done in approximately 10 minutes. We use Bitbucket Pipelines and Veracode Static Analysis is integrated into our deployment pipelines.

I rate the initial setup of Veracode Static Analysis an eight out of ten.

We did the deployment of the solution in-house. We typically can do the deployments with one person.

I cannot say we have had a return on investment because we haven't had any security incidents, but we didn't have any before using Veracode Static Analysis either.

The price of Veracode Static Analysis is expensive. There is an annual fee to use the solution and the company is upfront with the pricing model and fees.

I rate the price of Veracode Static Analysis a three out of ten.

We evaluated Checkmarx and Synopsys before choosing Veracode Static Analysis.

My advice to others is if they use Veracode Static Analysis they are using a very solid solution. You get what you pay for. It's an expensive solution, but it's very good. You're going to save a lot of time and a lot of headaches with fewer false positives, but you're going to pay for it. It's good if you want to automate something into your pipeline and it's going to run fast and give you good results. I would choose Veracode Static Analysis, but be cognizant of the cost.

I rate Veracode Static Analysis an eight out of ten.

Our primary use case of this solution is for static and dynamic analysis along with the source gear for the third party dependency (not IDM). 

We were looking into actually moving towards IDM, but that's the extent of my knowledge. They are licensed as two separate products. They're part of the same platform, but they are licensed separately.

We have Veracode, Veracode Developer Training, Veracode Software Composition Analysis, and SourceClear. SourceClear and SCA are pretty much the same. They just support different languages. Veracode as a whole, the top option, is the one that includes everything.

We are using the Veracode tools to expose the engineers to the security vulnerabilities that were introduced with the new features, i.e. a lot faster or sooner in the development life cycle. We rely on this set of tools to automatically scan our artifacts when they are moving to different environments. 

We got it to the point that when we were promoting the artifacts from desktop to the server environment, we already had the scans completed. We knew the vulnerabilities that we were introducing with the new features ahead of time, i.e. before the QA department was finding them. That was the main reason we decided to use Veracode or to use tools for static analysis and dynamic analysis.

With Veracode, it's not about features for us. It is about the pricing model that they offer. To be honest, with their vulnerability database, the total amount of false positives that we're getting is very low. 

That's the main reason we use Veracode over anybody else. New Veracode features could include a very big database of actual vulnerabilities to be better than other products.

Veracode owns SourceClear. They bought them in 2017 or 2018, and they still are not fully integrated with the actual Veracode dashboards. Right now, you have to use two separate tools from the same company. One for the static analysis and dynamic analysis, then the second one for the third-party dependency. 

That is an area that they need to improve the service. Veracode needs to bring the second tool in already to the dashboard so that we don't have to use two separate logins. We don't want two different sets of jobs that we have to upload into two different places, etc. Veracode also needs better integration of their tools to each other.

Veracode should make it easier to navigate between the solutions that they offer, i.e. between dynamic, static, and the source code analysis. The SCA feature is on the website. Veracode should integrate SourceClear with the company product line finally after two years. I would love to see that. 

Veracode did not previously support Python 3. They just released the support for Python 3. Keeping updates coming quicker would be the main thing that I would love to see, i.e. to have all these solutions better integrated.

We have been using Veracode as a solution for almost two years.

It's a very stable solution.

Scalability is the main issue with Veracode. For my company, the outlier is out there, but when it comes to scalability, we had issues with automatically scanning springboard artifacts. If you scan the artifacts, they want the artifacts to be packaged in a specific way. This is very well documented on the website but it's not the way we're doing business. 

The workaround was taking the build that was getting put together by Jenkins and moved through the environment. We had to make a separate one, packaged differently just for the tools to work. For the scans to work, if that makes sense. Maybe we are just weird in the way we package our artifacts but maybe many are having the same issue.

We have about 200 engineers that have user roles in the solution. There are different roles. We have security administrators. We have team leads. We have managers. Their roles are all very well put together. Each team has a manager that has access to more features than the rest of his team. They can create things, delete things, compared to the regular guys that can only see the reports. It's very well structured, from that standpoint.

Theoretically, everything is integrated with Jenkins, so the staff depends from one application to another, i.e. three people or eight people from our side. From their end, in our pricing model, we have access directly to an account manager. They have a team of engineers that usually help us if we encounter any issues. It's very extensive in use. We have about 80 services and applications going through using the scanning solutions that Veracode has and we are scaling up.

The solution's technical support is absolutely fantastic and very fast. Veracode has very fast resolution and response times. Usually, when we have an issue, it's only a few hours before we get an answer from them.

Another time, the Veracode integration wasn't working and in about 3 days we came up with a solution to our problem. At the high level, the beginning of the conversation with Veracode tech support is pretty fast. It's only a few hours. 

Coming up with a solution takes two to three days at the most with Veracode. We pay a lot of money for that. You get what you pay for.

We never did use other products. The reason we started looking into IBM and WhiteSource was because of the hiccups or the speed bumps we were encountering with our springboard artifacts. We were in the process of evaluating other products and I think it's still a valid option. I wouldn't advertise it, but we were in the process of changing from Veracode just because of that one particular issue.

We had to build our artifacts differently than before just to scan them, i.e. instead of scanning the ones we were publishing. It's not a big deal overall, but it would be nice for the solution to work out of the box with everything that's out there. Instead, many companies are changing the way they're doing business just for this small little step in the delivery process.

I was not involved with the initial setup. When we were uploading new applications to their solutions it was very straightforward. Their documentation is really good and very detailed.

In the worst case scenario, if the implementation engineer just runs through the material, you can go on the website for resources. The way they have everything documented is very good. Veracode is very well documented.

I do not have any information on ROI. We became better from an engineering standpoint, but I don't know if we saved a ton of money in the process.

They just changed their pricing model two weeks ago. They went from a per-app license to a per-megabyte license. I know that the dynamic scan was $500 per app. Static analysis was about $4500 yearly. The license is only for the number of users, it doesn't matter what data you put in there. That was the old model. I do not know how the new model works. 

We are in negotiations with Veracode. The old model was about $500 for dynamic analysis and about $4500 for the static analysis, per app or service, per year.

Veracode offers a lot of other license options that you can put on top of what we just discussed, but I don't think we ever looked into any of those. The way we implemented it was very straightforward. You have your app and you pay this much for both dynamic and static licensing. That's all we cared about per year. 

We looked at IBM before we decided to go with Veracode. I've seen the documentation that our director of information security put together. 

We looked at six different solutions before we went with Veracode. Another company does their pricing model based on lines of code. WhiteSource was one other option we evaluated.

We did review a few of them. IBM App Scan and WhiteSource were definitely on the list. I don't remember the rest of them.

If the springboard issue doesn't hold them back and the pricing model stays the same as the one that we have right now for this year with them, it's a good deal. Veracode is pretty straightforward to use and the support is really good. We don't have a lot of complaints about that. 

I don't know how the pricing model is going to change the actual price of the application. On a per license basis, Veracode has a very lucrative way of doing business. I don't think a big company that has a lot of services and applications would enjoy paying upwards of $200,000 per year to scan all their code. 

Prospective customers should look at how the pricing model affects them, especially if they are in the microservice type of architecture or if they are moving towards something like that.

I would rate Veracode an eight out of ten just based on the experience that we had the past two years. The reason it's not ten is because of the ways these tools integrate. 

That rating is at risk of becoming a seven now with the pricing model changing. Veracode is probably not going to be that attractive anymore compared to other competitors. We knew other competitors were more expensive. The reason that we didn't go with them was that Veracode was very straightforward.

We have multiple verticals and products, and we use Veracode to perform static analysis on our hosted applications across all the platforms. We also perform static and software composition analysis on a couple of products.

Our offices are spread out across North America, South America, Europe, and Cyprus. We also have offices in Australia that use the solution. About 25 to 30 people use the solution regularly. 

Veracode has greatly improved the security posture of our applications because we can identify and mitigate vulnerabilities that we couldn't have without the solution. Veracode provides compliance reporting so we can identify issues without having to rely on complaints. Veracode has been extremely effective at fixing flaws in our applications. We have multiple applications across multiple verticals

Veracode or any other solution like it doesn't prevent anything. The product provides insight into the vulnerabilities, but it's up to the end-user to mitigate that and move it into production. If we fail to remedy the issue and move the code into production, it isn't Veracode's failure. We can't judge the product based on whether it could do that. The product is doing what it should be doing.

In addition to dynamic and static analysis, we can perform software composition analysis, which involves going into the various libraries to retrieve details about that. We see a few false positives in Veracode but not many. It's negligible. 

Veracode has saved our developers time by identifying and reporting flaws. The developers don't need to spend time checking the code by hand. It reduces the time spent on these tasks by about 10 to 20 percent. 

I believe the static analysis is Veracode's best and most valuable feature. Software composition analysis is a feature that most people don't use, and we don't use SCA for most of our applications. However, this is an essential feature because it provides insight into the third-party libraries we use.

We have some constraints interacting with Veracode self-support. I'm not talking about their technical support. I'm talking about self-support. We sometimes have a hard time communicating with them.

I have used Veracode for the last five or six years, but the company has used it for nearly 10. 

Veracode is a highly stable product.

I haven't had a scenario where we've had to scale it.

I rate Veracode technical support nine out of 10. They are excellent. When we have problems, they provide a solution every time. 

Positive

We had been using a third-party service for vulnerability checking. 

The deployment is a little complex. There is a small learning curve, but it isn't too difficult. The installation isn't hard, but we need to configure the dynamic analysis where it connects to a hosted application and performs checks. We have to configure the console and set a schedule. It takes a couple of hours to configure a new application.

We have been able to mitigate lots of flaws and vulnerabilities, so Veracode has had a positive effect on our products. It's hard for me to quantify. Our company has a large footprint across Asia, North America, South America, and Europe. 

Veracode is fairly priced. 

I rate Veracode eight out of 10. I would recommend Veracode to other users. However, I suggest doing a proof of concept before moving forward with any solution. 

We are a Veracode reseller and we utilize their solution for software vulnerability analysis. Our primary objective is to identify any security issues in open-source libraries that have been rejected. Additionally, we perform dynamic code scanning and employ Static Application Security Testing for comprehensive application security testing.

Veracode prevents 100 percent of vulnerable code from entering production.

Veracode has assisted our customers in deploying safely, thereby reducing both risk and hassle. Additionally, the solution has aided in reducing the costs associated with problem resolution. We noticed the benefits within the first day of using Veracode.

Veracode's policy reporting for ensuring compliance with industry standards and regulations is excellent. We only need to specify the regulation we must comply with, and the report will be generated instantly.

Veracode provides visibility into the status of applications at every phase of development. It is one comprehensive integrated system, but we can also utilize specific features like SAST if we require it.

In the absence of Veracode, the security team typically informs the developers about the policies that must be adhered to, and they enhance the code in a manner that ensures compliance. However, when Veracode is utilized, this step becomes unnecessary. Each individual focuses on their respective strengths, allowing for seamless collaboration.

We have compared Veracode with other solutions, and its false positive rate is the lowest in the industry.

Veracode's low false positive rate is key to our ability to avoid being burdened by false alerts and focus on fixing code.

Veracode's false positive rate of the static analysis has helped save us time.

Veracode helps fix flaws. Our customers have reported that it is faster and more compliant, making it easier for them to send out reports to various stakeholders when they have questions. For example, when dealing with higher-level management, we can create a report containing comprehensive statistics and informative pie charts, which greatly assists them. Additionally, this helps demonstrate the value of Veracode during internal assessments.

Veracode helps our developers save time. 

Veracode helps improve our security posture as it ensures compliance and simplifies the process.

Veracode helps our developers save costs.

Static code scanning is the most valuable feature. Moreover, Veracode integrates with various frameworks and workflow solutions.

Veracode has the capability to identify flaws in the code. I would like Veracode to also have the ability to fix these flaws in a future release.

I have been using Veracode for four years.

Veracode is an exceptionally stable solution.

We can scale Veracode from one to thousands of applications within a minute.

Veracode is used by some of our customers for individual applications, as well as by others for thousands of applications.

The technical support is great.

Positive

In addition to previously using SonarQube, we also employed several other solutions before transitioning to Veracode due to its superior reporting capabilities.

The initial setup is straightforward. The deployment time depends on the size of the built solution. If we consider a relatively modest number of apps, I would say that they can be up and running within a day or two. We first completed a good analysis of what our customer wanted and because Veracode is a cloud solution, we can have a code scan running within minutes. It is easy to integrate other frameworks and work with applications that are already integrated with Veracode. One product owner or software developer can handle the deployment.

The implementation was completed in-house.

With Veracode, the benefits are clear, and we can see a return on investment through the visibility it offers. This enables us to fix flaws sooner, thereby reducing the time to market for our customers.

Veracode provides value for the cost, with no additional charges apart from the standard licensing fee.

I would rate Veracode a perfect ten out of ten because it consistently delivers on its promises.

Those who are concerned about Veracode's price should be aware that the solution holds value. Additionally, they should consider that other solutions are on-premises and require additional fees for reporting traffic processed, unlike Veracode.

The maintenance is all taken care of by Veracode.

Veracode is so straightforward that I have no advice to offer to anyone.

There are many companies out there that do not consider code security when thinking about cybersecurity risks. This holds true even for larger companies, where it is still a greenfield situation.

My company produces a SaaS application that is used by very large customers for pricing analytics and sales workflows. The data that our customers put into our software is very sensitive and confidential. This means that they want a high degree of confidence that our solution is secure.

We use Veracode as one of the pillars that we can point to as helping us to deliver on the promise of having a secure product. We have a multi-dimensional security program and Veracode is one important aspect of that.

Veracode provides guidance for fixing vulnerabilities. It provides guidance to help us understand what it flags, and what we can do about it. It still takes some interpretation and insight on our side, but we aren't generally security experts, so we get good information from Veracode to help inform us.

The developers are able to understand the types of issues Veracode looks for, and then as they see that happen, it helps them to learn. It's good because they consider it the next time and hopefully, we don't need Veracode to flag the issue because there is no issue.

With respect to efficiency when it comes to creating secure software, Veracode is able to help us with very low overhead. There's not a lot of work needed on our side unnecessarily. Once we've wired everything together, it's seamless to get the scan done and get the results back and know what we need to do about them.

We use Veracode for some of our older, more monolithic software, as well as for our newer solutions, which are designed to be cloud-native. We've found Veracode useful in both use cases; first, with our huge monolithic software, as well as with our microservices cloud-native solutions.

In terms of AppSec, there are a lot of benefits that cloud-native design brings in terms of not only cost and scalability, but testability and security. Certainly, the design patterns of cloud-native are well aligned with delivering good security practices. Working with products that support cloud-native solutions is an important part of our evolution.

Using Veracode has helped with developer security training and skill-building. It's definitely a good way to create awareness and to deliver information that's meaningful and in context. It's not abstract or theoretical. It's the code that they've written yesterday that they're getting feedback on, and it is a pretty ideal way to learn and improve.

The static scan capability is very powerful. It's very good in terms of the signal-to-noise ratio. The findings that we get are meaningful, or at least understandable, and there's not a bunch of junk that some other code scanning tools can sometimes produce. Having results like that make it hard to find the valuable bits. Veracode is highly effective at finding meaningful issues.

The speed of the static scan is okay. It meets or exceeds our expectations. For our monolithic application, which is a million lines of code, it takes a while to scan, but that's totally understandable. If it could be done magically in five minutes, I wouldn't say that's bad. Overall, it's very reasonable and appropriate.

Veracode has policy reporting features for ensuring compliance with industry standards and regulations. We have one such policy configured and it's helpful to highlight high-priority areas. We can address and help focus our effects, which ensures that we're spending our time in the best way possible for security movement. The policy is a good structure to guide results over time.

We use Veracode as one metric that we track internally. It gives us information in terms of knowing that we are resolving issues and not introducing issues. I cannot estimate metrics such as, for example, Veracode has made us 10% more secure. I can certainly say it's very important when we talk to our customers about the steps we follow. We do external pen tests, we do web app pen tests, and we also use Veracode. It's certainly very helpful in those conversations, where we can state that it is one of our security practices, but there's no outcome-based quantitative statistic that I can point to.

The static scan is the feature that we use the most, as it gives us insight into our source code. We have it integrated with our continuous integration, continuous delivery system, so we can get insight quickly. We're doing scans daily, so that's the most important feature for us.

The interface is great. It allows us to look at our different applications, understand all of the different types of scans, as well as the results. The types of testing include SAST, DAST, and SCA, and it pulls all of the information together into a single view. It also produces reports that we can give to our customers when requested.

Veracode certainly provides a quick and intuitive way to understand the results, to see the context of them, and to identify what we need to do to address them. In general, it's a pretty quick way to get the information that we need in the most useful way possible. Then, we can turn around an action plan.

We have it integrated with our build pipeline and that works well. It's very important because we don't have to complete a separate, manual step of sending the software up to Veracode to scan it and get the results. It's great. the more things that we can integrate into the build pipeline, the better. It's a very positive thing.

Veracode is very good in terms of not having a lot of false positives. It would be very frustrating if a tool gave you 10 good results but 50 false positives. Even with the issues that we get that we choose not to address, we can still understand why they're being flagged. We have found that the results are meaningful and accurate, which gives us confidence in the solution when fixing vulnerabilities. 

We may choose not to address them for different reasons. For example, it could be because it's an issue about input sanitization, but we have another layer on top of that component to handle that task. We can recognize that it's important that Veracode is flagging those things at that lower level, and that they're bringing that additional insight and consideration to the designs that we're choosing. Overwhelmingly, even the issues we choose not to address are still valuable and meaningful, so the actual false positive rate is quite low.

This is a very useful and powerful tool that ensures our code is well-designed and correctly implemented. It is important that it's only one aspect of a security program and not the only insight or the only test. That said, it provides us with some pretty important feedback and insights that we wouldn't have a great way to get otherwise.

The ideal situation in terms of putting the results in front of the developers would be with Veracode integration into the developer environment (IDE). They do have a plugin, which we've used in the past, but we were not as positive about it. The pricing model was expensive and the results were not the same as the full solution analysis. It gives a differently scoped "just in time" analysis within the context of the IDE, so it didn't speak to the same problem space.

The best situation would be the one where the developers don't even need to log into the web portal, and the results from the scans would be delivered into their IDEs. It would be an asynchronous job, but if they could see the results right there, while they're working on the code, then they wouldn't need to go to a separate tool to look at the information to figure out what to do next.

The workflow today on the build side is optimal, so imagine that's still doing the same thing but then in the backend, whenever a developer has that project open in the browser, if they chose to, they could enable a view to see the most recent Veracode results of that module. That scan might be from last night or six hours ago or any other point, and that's fine. It would be the best possible situation to put the results and the actions right in front of the developer, in the tool that they're already using when they're touching the code.

The only other thing that we've found a reasonable workaround with is how to work with microservices in the context of Veracode. This was necessary because Veracode's licensing model and the interaction model are built around an idea of an application. When you're talking about a section of business logic that's being delivered by possibly dozens of microservices, there is some friction with Veracode in terms of how that application gets defined and how the scans occur and get reported on.

When we reached out to Veracode about this, I got a slide deck that provided us with different options of how they recommend proceeding in this context. It was helpful, and clearly a question they've considered and they had answers ready to go on. The ideas helped us and essentially reinforced what we were already thinking. It's getting the job done, but it still feels like a little bit of a square peg in a round hole and it could be a little smoother in terms of that interaction.

The problem boils down to how we fit the microservices architecture into the Veracode notion of an application. We need to be able to get a holistic view across the microservices, which is extremely challenging, especially when those microservices are owned by different teams who have different needs to see and respond to the scans. 

I have been using Veracode for between five and six years.

The stability is great. They've probably had some downtime, but I don't know about them. From our perspective, it's been solid.

I know the web portal has some planned downtimes because I see the splash screens about them. They're good about warning you, but they're also performed at very weird times, like the middle of the night, so it's never blocked me from getting in when I need to get in.

We use Veracode for all of our software development. We have more than 100 engineers, and our entire engineering team is using it. Obviously, every team has some designated people who look at this more than others, so not everybody's in there every day, but in terms of the software we write, we know that it's all being scanned constantly.

Over the last few years, we've made a couple of acquisitions of other companies and when we've done that, we very quickly brought those solutions in as well. We've seen the value and because of that, it's part of our onboarding process when we integrate other companies into our environment.

If we create another solution or we acquire another company, we will certainly expand our use of Veracode to match within our current solution stack.

The support has been good at understanding issues. There are two aspects of technical support. One concerns issues with the platform in terms of functionality, and the other is that they will provide you with assistance in terms of interpreting your findings.

Our experience from the technical side is that they helped us with figuring out how to best use the platform for microservices applications. They were very helpful in that conversation.

We also have experience with the other layer of technical support that Veracode provides, which is where you can get consultations about the findings. We've done a few of those where you set up an appointment with a Veracode engineer. It helps to understand the results if the platform isn't totally clear on why something is a problem or what we need to do about it. For us, that's been pretty good.

Obviously, the Veracode engineer doesn't have the full understanding of what our application does and in a short call, you can't possibly do an architectural deep dive to understand the context of an issue, but their conversations have been useful when we've had them in terms of understanding issues and context and if we need to do anything.

Prior to using Veracode, we used other code quality scanning tools, but not anything at the level of Veracode for security issues.

The initial setup was straightforward. It was pretty easy to get going and we've incrementally gotten better and deeper as we've used it over the years.

The initial setup was manual uploads of applications, and then it was about incorporating it into our build pipelines and using the sandbox to support our microservices architecture. We've gotten more mature over time, but time to initial use and results were very easy.

Only a very short time is required for deployment, as there is very little that has to be done. Ours was completed within a couple of days and that's a matter of coordination in terms of getting our teams to upload a solution and figure it out. It was a learning experience for us but there was no time or delay brought on by the solution.

When we first began with Veracode, the initial strategy was just to get our first solution uploaded and scanned and see what the results looked like. We didn't have a systematic history of doing that, back then.

With approximately 500 employees, we're not a huge company. Deploying it in an enterprise company would be a different situation but for us, it was just a matter of understanding how we needed to configure the platform and how we needed to provide our software and states and get good results.

It probably took a couple of uploads of trial and error and we were running.

We implemented the solution in-house. It is not that complicated.

In terms of maintenance, there is certainly some overhead involved for each team. They have to make sure that the build pipeline integration is still working and essentially, that we're still getting results. Occasionally, for whatever reason, it breaks and somebody has to go in and fix it.

I can't say that there is no staffing required for maintenance but it's rare. In total, a few hours a month across the company is spent keeping it going. More time is spent evaluating and resolving the findings, which is part of our development work. That's not imposed by the solution but rather a positive outcome from using Veracode. As such, I wouldn't count that as maintenance. 

We have seen a return on our investment with Veracode. I can't point to a dollar figure, but I've been directly involved in customer conversations where we can talk about our security program and how Veracode is an important element. We've distributed report summaries and talked about results with our customers and having this information in those conversations is definitely valuable.

It's also very useful that we can talk about it with our security auditors. We have SOC 1, SOC 2, and ISO 27001, and they don't specify that you must have a static analysis tool. But when we need to maintain secure engineering practices, having a tool like Veracode is very important for us to demonstrate that to auditors. There's certainly value there as well.

There is also a tremendous value on the marketplace that we get from having those security audits and certificates, which is a second-order of value that Veracode drives.

I can't say with certainty that Veracode reduces the cost of application security, although I would say that it focuses our effort. It gives us guidance and prioritization on where we should spend time. Otherwise, we might not know about particular issues. We might inadvertently spend time on things that aren't that valuable. So, the value is more about focusing on where we need to spend time.

From a cost perspective, it seems okay, although we will probably evaluate alternatives next time it's up for renewal because for us, it's a relatively high cost, and we want to make sure that we are using our resources most appropriately.

I like that the platform provides you with some flexibility. We had to revise our licensing because it did not fit our environment. We wanted to license based on the number of applications, rather than another measure such as the number of lines of code. There was clearly some complexity that led us to be in that situation, although it seems preventable. Ever since our last renewal, the licensing has been smooth and clear. There is a certain amount of flexibility in that regard but also, they allow us some leeway in our current model.

There have been times when for some reason, we spin up a new application on a temporary basis. It may be because we're trying a new configuration. Even though we're licensed for a certain number of applications, the platform lets us exceed that. Consequently, we receive an email stating that we can't do that forever, but it's very useful to have the flexibility for the couple of times that we've used it to briefly exceed the application account.

I am not sure what other solutions, if any, the company looked at before choosing Veracode initially. We have renewed it since that time and we pretty quickly decided to stick with Veracode, rather than switching. However, because of the relatively high cost, we will probably evaluate other options next time it's up for renewal.

We see at least quarterly updates about new features or things that have been fixed. It happens without our involvement, which is great.

My advice for anybody who is considering Veracode is to test it. Although I have not compared Veracode against other products as part of an evaluation process, it would be very useful and very easy to actually try it. Top-load your application, get the results and take a look at what Veracode finds. This is the most useful activity somebody could do.

This is a product that lives up to its promise. It's easy to use, and it's predictable. There are some improvement opportunities but on the whole, it's very good at what it does. 

I would rate this solution a nine out of ten.

We use it for dynamic scanning and Static Code Analysis as well as for Software Composition Analysis (SCA).

We do use this solution's support for cloud-native applications.

We are a startup with 350 employees. The AppSec program initially was focused and aligned with regulatory audit, and compliance. However, over the past two years, we have "shifted left" : integrating AppSec early in our SDLC process. Having this tool has fast-tracked our response times in terms of scanning the code for third-party library vulnerabilities. 

The SCA, which detects vulnerabilities in third-party and open source libraries, was something new for us and is very well done. It provides guidance for fixing vulnerabilities. 

When we go from the dynamic scan to static scan to SCA, there is a huge change in the UI. This was not relayed to us when we were buying the product nor during the demo. They mentioned, "Yeah, this was an acquisition. The third-party library scanner was an acquisition from SourceClear."

You can see there is a huge difference in the user experience in terms of both the display as well as the usability of the product. That is one of our pet peeves: They are not normalizing the UI across the three product segments. We had numerous calls with them early on because we were new to the platform. The sales team is not aligned with the support team. The support team keeps telling us to use a different UI versus the one that the sales team showcased during the sales cycle.

There is much to be desired of UI and user experience. The UI is very slow. With every click, it just takes a lot of time for the pages to load. We have seen this consistently since getting this solution. The UI and UX are very disjointed. It is ironic that they claim themselves as agile AppSec tool, but their UI doesn't reflect that.

We had a couple of consulting calls, and perhaps it may be the engineers that we got, they were not really up to speed with our frameworks. They were very focused on .NET and Java, which are legacy frameworks for us. We don't use these at all in our code base. We are using the newer, modern web frameworks, like Django. They have very little coverage or knowledge base on these, especially on the mobile side.

There are a lot of faults with the Static Analysis Pipeline Scan tool. Their tool seems to be very good with legacy products, which are developed in .NET and Java frameworks, but there are false positives when it comes to using modern web frameworks, like Python and Django. The C++ code doesn't even scan. We have spent at least three weeks worth of time going back and forth because it won't support the use cases that we have.

We have been using Veracode for over a year now.

It hasn't gone down. Nobody has complained about the Pipeline Scan being broken. The couple of times that they have, it was more to do with our ineptitude than with the platform capabilities. Once we understood how the platform is working and the gotchas associated with it, we were able to have a workaround within its constraints.

For our use case, it is sufficient. It has been up and running for quite some time and we haven't had any downtime experience with it. We get proactive notifications from Veracode about any upcoming maintenance, batch schedules, and other things. They have been pretty good with that. 

There haven't been any issues with multiple users logging in and slowing it down. It has just been inherently slow. 

We clearly mentioned during our purchase cycle that we have C++ code, a Swift code from a US perspective, Python libraries, etc. We were given assurances that these were absolutely covered under the solution. However, when we started investigating through support tickets, they admitted that these were not supported. We have very limited support for C++ code scans and other things. That was a bummer from my perspective.

The support has been good. However, we work in an agile environment and our release cycles are literally every two weeks. Their response times have been very delayed, especially as we are in the Pacific Time Zone and they are in the Eastern Time Zone. 

They have a great support portal to do self-service. We have been pretty impressed with that, but we soon realized that anything you pick is 10 days to two weeks out. That has been a non-starter for us. We had to constantly escalate through our account team to get an engineer on the call, because we were in the middle of a release and needed to scan the product at the moment.

At this point, we are doing sandbox scanning. We have implemented it with our Jenkins CI/CD tool to really scan the code, upload, etc. It took awhile for us to figure it out because the support wasn't really helpful. We had to hack our way into getting through the documentation. Since the time they acquired SourceClear, they haven't really cleaned up or integrated the documentation well, and that may be one of the reasons. However, we were able to find the right combination of keys to make it work.

We were previously using WhiteHat Security. Their lack of customer service prompted us to switch. Every question that we asked was just going into a black hole. The only time that we got any response was when our account was up for renewal. We had a long discussion with them to get a rationale behind their lack of response, and that was the only time they listened. There was no follow-up. That is when we decided that this is not a partnership that we wanted to continue anymore.

Veracode has automated a lot of the manual stuff that we were doing in terms of scanning third-party libraries. With any given release, I was spending from eight to 10 hours manually scanning through all 3rd-party libraries for vulnerabilities. Now, it is all within the Pipeline. So, I am saving about 10 hours in a given month with it.

The initial setup was moderately complex. The onboarding of the tenant, single sign-on, and access control were easy, but when it came to the real work of integrating the Pipeline Scan and our ticketing system, that is broken at this point. I spend most of my time manually doing this, and if they could fix that portion, that would save me another two hours worth of my time with every release.

The deployment took two to three weeks.

Because this was a SaaS service, we just onboarded one team, then looked through some of the gotchas from login and access perspective. Once the pilot users were all cleared up for any potential issues, we then onboarded the rest of the team. We have a small team of 40 users from a development perspective.

It's pretty straightforward from an onboarding perspective because it is all SaaS. We just needed to whitelist some IPs from Veracode for scanning some of our code, which are not publicly available. Beyond that, everything was pretty straightforward.

The solution was implemented by an internal consultant and me.

The time savings has been tremendous. We saw ROI in the first six months.

It is very reasonably priced compared to what we were paying our previous vendor. For the same price, we are getting much more value and reducing our AppSec costs from 40 to 50 percent.

We bought the product for its expected benefits, in terms of all the bells and whistles that we saw during the sales cycle. When it came time to really implement it, that is where we have been having buyer's remorse.

We evaluated Micro Focus, Black Duck, SonarSource, and Coverity. We felt Micro Focus was the closest to really addressing all three of our needs, which is SAST, DAST, and the third-party software composition analysis. Micro Focus had the most complete execution from an implementation perspective, but it was very expensive for us. We went with Veracode because it was within our price point. 

We are getting huge value out of the dynamic scan and third-party library scanning. However, the initial euphoria has died down at this point, so we will be looking at additional tools to augment some of the solution's shortcomings.

It is good for third-party scanning and if your code base is all modern web frameworks. It is also great for the third-party analysis. However, the Software Composition Analysis is not good if you have C++ code or anything legacy, as it does not cover that. It also does not cover iOS code. It has a lot of constraints.

The solution’s policy reporting for ensuring compliance with industry standards and regulations is fine. We are using it for internal reporting, but we haven't really dug into the policy definitions and tweaking them. We are using its default policies.

As part of our validation and testing, we are able to catch vulnerable code early on. That has been helpful. Automating some of the process has been really helpful, at least from our team's effort perspective. The tool highlights the risk associated with vulnerabilities. That effort is very much automated with this tool.

I would rate this solution as a six out of 10. If you have legacy applications, the solution is great. Their SaaS scanning is geared towards that. If you have modern frameworks, the SaaS scanning and dynamic scanning don't provide much value. My advice to anybody looking at Veracode: Use them for third-party scanning. They are really good at that because of their SourceClear acquisition. For the rest of their products though, just keep looking.

We use Veracode primarily for three purposes:

1. Static Analysis, which is integrated into our CI/CD pipeline, using APIs. 
2. Every release gets certified for a static code analysis and dynamic code analysis. There is a UAT server, where it gets deployed with the latest release, then we perform the dynamic code scanning on that particular URL.
3. Software Composition Analysis: We use this periodically to understand the software composition from an open source licensing and open source component vulnerability perspective.

For the issues that are being reported by Veracode, normally we collect those issues, and at least once a quarter, we have an awareness session with the developer. We then explain that what is the vulnerable pattern that has been caught and how to avoid it in the future, so they will not introduce it in the first place.

The main benefit of Veracode is it can give you a report in various formats, e.g., PCI compliant. That is very helpful for us. It gives our customers confidence because they trust Veracode. When we submit a report generated by Veracode, they accept it. We have seen in the past that this has helped us during the pre-sales cycle, and from that aspect, it is pretty powerful.

The centralized view of different testing types helps reduce our risk exposure. The development teams have the freedom to choose their own libraries and languages. What happens is sometimes developers feel like a particular library is okay to use, then they will start using it, developing some functionality around it. However, as per our mandate, for every new repository that gets added and scanned, a report gets published. Based on that report, we decide if we can continue. In the past, we have found, by mistake, some developers have used copyleft licenses, which are a bit risky to use. We immediately replace these with more permissive, open-source licenses, so we are safe in the end. 

The static code analysis, which is integrated into the CI/CD environment, is a valuable feature. We get quick results of what has gone into the environment in terms of any vulnerability in the code and for the Eclipse plugins of Veracode. This is one of the more valuable features because a developer can get a sense at the line level if there are any issues. 

It is pretty efficient when creating secure software. For one or two particular applications, the dynamic code analysis can take too much time. Sometimes, it takes three days or more. That is where we find speed getting dragged. Apart from that, it is pretty efficient for us to get results and make our software secure.

If the dynamic scan is improved, then the speed might go up. That is somehow not happening. We have raised this concern. It might also help if they could time limit scans to 24 hours instead of letting them go for three days. Then, whatever results could be shared, even if the scan is not complete, that would definitely help us.

They could probably provide some plugins for the Visual Studio code.

Five years.

It is pretty stable with no issues.

If they need to scale back-end infrastructure to make the scan faster, then they should do it. Apart from that, there are no issues to mention.

One person can just start a scan. In our case, the DevOps team does it. They configure it once, then do it. However, the cycle takes time, depending on the codebase size, to look at an issue, identify if there are true positives, and then work on it. It is one person's almost full-time job.

I have a team of around six security professionals team who work on Veracode and use the tool. Two of them are team leads, two of them are senior developers, one is a DevOps engineer, and another one is a junior developer.

We normally create a ticket for Veracode support, then they respond back within 24 hours. Our experience with them is generally very positive.

Normally, the report that we get is self-explanatory, but sometimes there are false positives or some issues that we don't understand. For those, we schedule a consultation call, where they then come on a call and provide guidance on how to fix them. That is pretty cool.

Before Veracode, we had a manual process where we hired white hat hackers. They used to do all the scanning, then submit a report. That process was pretty lengthy. It sometimes could go on for three to six months. Nowadays, for static code scanning, we are doing it on regular basis. Since there are not many issues reported, we can fix them on the fly. For dynamic code analysis, it still takes a week's time because the scanning itself takes three days sometimes. Then, once the scanning is done, we check if there is an issue, fix it, and then start the scan. That is a week-long process, but the rest is pretty under control.

At the time that we set it up, it was quite complex. Now, they have made it pretty simple to use and a brief process. However, we felt the process was quite complicated when we did it. For example, when we initiated the static scan for the JavaScript, we needed a lot of instrumentation. That specific instrumentation that needs to be done at the JavaScript layer. Now, they can accept the bundle as it is and still identify the issue at the line number level. So, that is an enhancement.

They have done some improvements on the triage screen where you can look at all the issues. You can perform various actions over there, like mitigations or adding comments. They have simplified that interface a bit and made it a little faster. Earlier, we used to take quite a time for the check-in and check-out operations. However, now, it is quite fast. If we had to redeploy it from scratch, it would take around 30 minutes.

To start a static code scanning, do an upload, and start a scan, it hardly takes 10 minutes.

We do the setup and implementation ourselves.

Veracode has definitely helped us close deals with the software being compliant to our customers' various standards. 

Before we had Veracode, customers might have demanded some scanned compliance reports, which we didn't have. Because of that, we might have lost some customers during the pre-sales cycle. That cost is huge compared to what we are paying for Veracode.

It has saved our developers' time from six months to two weeks.

If I compare the pricing with other software tools, then it is quite competitive. Whatever the price is, they have always given us a good discount.

We also used Contrast Security for real-time scanning on an experimental basis. If that is successful, we will probably roll that out. Contrast Security is very focused on run time scanning. Veracode also has some kind of module for this that we have not explored. However, the Contrast Security tool was suggested to us by one of our customers. We have not compared Veracode and Contrast Security yet.

The other tool which we use is Burp Suite for performing some manual verification. This is apart from what Veracode is not able to. Our customers are also reporting some vulnerabilities because they have their own scans. To verify those types of issues, we use Burp Suite. Burp Suite is pretty handy when you want to quickly do some penetration testing and verify some vulnerabilities. It is definitely a unique tool, and I don't think there is this kind of module with Veracode.

I'm pretty confident about Veracode's ability to prevent vulnerable code from going into production when I'm using it.

When you use Veracode, instead of using it as a manual tool, you should integrate it into your CI/CD pipeline. This way, every build is certified. Then, if there is an issue, you will know about it earlier in the development cycle, not later. Because as the time passes, it becomes more difficult to fix that issue.

With Veracode's support for cloud-native applications, there are some components of our application (which are cloud-native), that we treat in the same way as regular software, e.g., the source code and dynamic URLs. We don't have a model where we can do the real-time scanning. This is something which is currently in talks for maintaining the security of the distributed application. Hopefully, that should get implemented in about two months' time.

The reports that they share have been pretty informative, but someone has to go through them and read them quickly. In the early days, they might have offered some kind of training plan, but we did not opt for that.

Veracode has a plugin which we use, and it works with developer tools.

While there are false positive, there aren't much (around 10 percent). We normally farm these to the Veracode team, who act accordingly. Our developers still report 90% valid issues, and this is satisfactory for us.

Biggest lesson learnt: Security should not be an afterthought. 

I would rate this solution as an eight out of 10. I took off points due to the extra time that it takes to do the dynamic scan.

The primary use is as a static analysis tool. But we also use Greenlight and dynamic, and we're currently having a manual penetration test.

Firstly, it prevents me from putting out software that has security vulnerabilities, which is a big thing and can be one of the most important things. 

Also, we just finished a vendor due diligence with a very large company that wants to do business with us, and one of their security questions was "Do you do static analysis?" I was able to just send a very professionally done report. They know Veracode and they said, "Okay, great. This is terrific." 

That very reason is why, three years ago when I first got to this company, I said, "We have to get hooked up with Veracode right away, so it's not like an afterthought." Because I'd been in a situation where you do it after the fact and you end up with 3,000 errors, medium to critical errors.

It helps us put out better software more quickly, and gives me the piece of mind that we've done everything we can to prevent any security exploits.

It's something that our customers don't think about, and the benefit would be that as long as there are no data breaches, there's no hacking within our system, they get a non-functional benefit. We work with pharmacies and they just expect that the system is secure. I would view that as a benefit to them - maybe something that they don't think about - but nonetheless, it's there. 

Certainly it eases integration into our workflow. Veracode is part of our Jenkins build, so whenever we build our software, Jenkins will automatically submit the code bundle over to Veracode, which automatically kicks off the static analysis. It sends an email when it's done, and we look at the report.

Once it's set up - and it's pretty easy to set up - it pretty much just works and I don't really have to think about it, outside of whenever I get my emails to look at the reports.

It was a very easy integration that we did within the first week of going live with the software.

So ease of use, ease of integration.

The Web portal, at times, is not necessarily intuitive. I can get around when I want to but there are times when I have to email my account manager on: "Hey, where do I find this report?" Or "How do I do this?" They always respond with, "Here's how you do it." But that points to a somewhat non-intuitive portal. 

With that said, I hate when companies redo their portals all the time. So it's kind of a catch-22, but that would be my only critique.

It's always been pretty rock solid. 

No scalability issues that I'm aware of. 

Exceptional.

Veracode was really my first introduction to static code analysis. The way I came across it in my previous company was, they were going through security due diligence and we didn't have any code analysis software. The company, a very large health plan, said, "Here are three that we recommend." Veracode happened to have been one of them, along with HPE and another company, maybe it was IBM, I don't know. We took a look at all of them and we made a decision to go with Veracode.

It was easy. It's very straightforward. There's nothing complicated about it.

I haven't really thought about cost savings related to code fixes, since we implemented Veracode, other than: It's always easier and much cheaper to catch errors and fix them before you go to production, versus catching them while in production. Just like it's much easier to fix things before production, as opposed to having somebody hack your system and to find out that you have a cross-site script error.

But again, I've never quantified it in terms of whether it's saved me money. 

Just off the cuff, the cost of the license is small in comparison to the value it brings. I don't have to buy the software myself, I don't have to have specially trained security professionals that monitor this stuff. But I haven't really broken it down to quantify it into dollars, as such.

I think it's a great value. It's at a price point that a small company like mine can afford to use versus, if it was too exorbitant, I wouldn't be able to use this product.

About licensing, just go ahead and get them.

Get a license at the beginning of a project. Don't wait until the end, because you want to use the product throughout the entire software development lifecycle, not just at the end. You could be surprised, and not in a positive way, with all the vulnerabilities there are in your code.

When I was at the last company, I looked at HPE (now Micro Focus) Fortify vs Veracode and maybe IBM had a product, but they were overly complex and overly expensive. I remember talking to our Veracode account rep, who also was my account rep originally here at Focus Script, and she did a fabulous job of explaining it, doing a demo, showing how easy it was to use, and that's what sold me. Again, it was recommended from a very large health plan as one of the more reputable systems out there.

CA Veracode provides application security (AppSec) best practices and guidance to our teams in a couple ways. First of all, they have an e-learning module that has courses that we have required our developers to take. That's a best practice.

Secondly, when we do have errors, Veracode is always available, their consultants, to help us either mitigate the error, or provide technical assistance on pointing exactly where the problem is and how we could probably fix it. I'm always amazed at how knowledgeable they are. 

They also have what's called a Software Composition Analysis that can point out errors and fixes for third-party software frameworks, which is very nice. The list goes on... And again, having received, early on, education from them on how best to integrate this in the workflow, those are areas where we've relied on best practices from Veracode.

I'm in healthcare, and it's very important - and I'm sure in other industries just as well - but the stakes are very high. If we get hacked, if there's a data breach, it could put us out of business. It's a very good price point for a small company to have these kinds of capabilities, something we can afford for our application.

I am very likely to recommend it to colleagues. As I mentioned, I brought it to this company, and I've already recommended and provided references to a few other companies over the last couple of years.