Veracode Reviews

At this moment in time, in my project, we are mostly using Static Analysis from Veracode. We automated it and added it as a step to our daily pipeline. We also tried using the pipeline plugin from Veracode that gives an immediate evaluation of your code. We're also using agent-based Software Composition Analysis. I have not exactly used it in my project, but I participated in investigating it and setting it up.

I know two flavors of doing Software Composition Analysis. The first one is a part of a daily static scan where you're uploading all your third-party libraries. The second one is by using agent-based, which gives more reporting capabilities but not doesn't affect policy scans, etc. We use both of them.

We use Software Composition Analysis as a part of our daily build pipeline, so we use Jenkins Plugin from Veracode. Every night, we upload our sources to the Veracode platform. In the morning, we receive results of Static Code Analysis and Software Composition Analysis. 

We are able to receive results for vulnerabilities in other libraries. We can then react to it and fix our code and those dependencies.

We do have a policy in regards to security. As a part of that policy, we cannot have very high-end issues. Usually, when you change third-party libraries, you need to do some level of regression testing. Our release cycle is long, and it could be half a year between releases or sometimes even more. By using Software Composition Analysis, we're checking our sources on a regular basis, and if needed, we change our libraries in our code, So, we are checking and mitigating any vulnerabilities if they are not applicable to our solution.

We use static scanning. This is the main use of Veracode for us. We package our application every day and send it to Veracode. We receive static code analysis results and also the software composition analysis results every day because the first focus for us is on quality improvement. The security improvement is definitely static scanning. We do have a process for analyzing and mitigating results around this static scanning. So far, we have been able to comply with our internal policy. At this moment in time, we are at the stage of releasing our product, and according to our internal policy, certain important issues from 2017 had to be addressed and fixed.

Veracode gives the possibility to find different vulnerabilities and flaws in code, and it also makes things relatively easy because everything is automated. Implementing such a high-quality tool like Veracode, immediately made us aware of a lot of issues, but the volume of issues that we had to address was really high. The support from top management made it easy to fix the issues that Veracode identified in the product that has a long history of more than 20 years. Without the support of higher management in organizing and defining a process of fixing those issues, it wouldn't have been possible to fix all those issues. We took the reports received from Veracode, planned our activities, reviewed everything, and started acting on it as a result. The new release that we have is according to our policy, which is an important thing for us.

It definitely helps in reducing the risk of a security breach, which is rather important for us for providing our customers with a secure product. Among our customers, there are a lot of big companies that take security seriously. So, for us, it is really important. The fact that we have executive sponsorship shows that security is very important for our management. This initiative started because we're treating security really seriously.

It is improving our productivity significantly. We just finished a big chunk of results processing, and we are still in the process of setting up our processes. When you're first doing that scan with Veracode, you receive a bunch of results and an overwhelming amount of flaws in your code. All those results need to be investigated. For some of them, it is sufficient to have mitigations, but some of them need to be fixed. We just finished those fixes, and there were a significant amount of security findings from Veracode.

Considering that in my project, we are mostly using Software Composition Analysis as a part of Static Code Analysis, for me, the main part is reporting and highlighting necessary vulnerabilities. Veracode platform has a rather good database of different vulnerabilities in different libraries and different sources. So, finding vulnerabilities in third-party libraries is the main feature of Software Composition Analysis that we use. It is the most important feature for us.

The results of agent-based software composition analysis are not connected to policy scanning. So, for me, the only thing that Veracode can improve in Software Composition Analysis is to connect it with the policy scan because, at present, it is a bit inconvenient for those in our organization who use agent-based Software Composition Analysis. In the end, they need to make a static scan with all those libraries in order to receive that report. If Veracode implemented a connection between agent-based static scan and static scanning itself, it would be great because it would lead to fewer operations in order to prepare release documentation and release reporting from Veracode. We recently had a conversation with Veracode about it.

I believe it has been about two years because Software Composition Analysis is a part of the policy scan, and our journey with Veracode has been for about two years.

It is stable. I didn't feel that many problems with it. We did have a few glitches with the platform, but they were not that many. So, I can say that it is stable.

I can't say anything about the scalability of this solution because we are not bothered about keeping its infrastructure up and running. We use Veracode Cloud, and we are not supporting or deploying it. It is just a service for us, and we consider it as a service. We submit the information and receive reports back from that solution.

In our project, every night, we are currently scanning our development branch and three versions of our releases. We have four applications, and I believe that from my team, at least 15 scans happen every night. We have a partnership with another company that provides a part of our functionality. They provide releases to us to embed in our solution. We also do the scanning for their part and inform them about the issues that we've found.

We will increase the number of scanned versions because with each and every release, during the support period, we're supporting versions of our product, and we're also fixing the security stuff. We will be increasing the volume of scans, but it will come to a logical point. When a version is no longer supported, we will definitely remove it from Veracode. So, all in all, at any moment in time, I foresee four or maybe five versions to support multiplied by four applications. There is also a development branch for each application, so there will be around 20-25 automated scans per night.

I am very pleased with the Veracode support because so far, there were no issues where they were not able to help us. Sometimes, in our questions to Veracode, we ask about the deep aspects of functionality, and so far, we've received answers for all those questions, and they were mostly good. I would rate them a nine out of 10 just because I didn't like some of their answers. Because of our approach of having each version as a separate sandbox in Veracode, we had questions about the consistency of results between different sandboxes, but then we realized that these are peculiarities of the platform. It is nothing serious or special. It was mostly related to our expectations from those algorithms, but it actually works perfectly. I can give a 10 for Veracode's support, but then they will have no growth to improve.

It was pretty straightforward. The problem that we had was mostly about our solution's architecture because the solution itself is big and heterogeneous. Some parts or regions are using the Java platform, and some parts are in the .NET code. The main problem was to correctly build our solution for Veracode. This was the only challenge. Veracode provided us with good functionality with their Jenkins Plugin that made it possible for us to automate our daily development. So, the main problem for us was mostly related to properly building our solution and using it in Veracode. It was pretty straightforward. There was nothing complex, but it needed some work from our side.

The strategy for Veracode implementation was pretty straightforward. From the very beginning, we stuck to the idea that it should be automated because all modern DevOps practices and approaches, such as Infrastructure as a Code, are widely used in our company. So, from the very beginning, we decided that it should be coded, and it should be stored in source control and uploaded. Veracode became a part of our process of everyday deployment, and it was a part of our strategy to make it a part of our life and use it as much as we can.

The number of people involved depended on the stage. At the initial stage, when we were evaluating it, there were somewhere around six or seven people who were making the decision of buying Veracode and other stuff. We have different companies and products inside our organization, and each and every product team is responsible for implementing it. We were the pioneers in using the solution from Veracode, and later on, it spread out to other projects. Now, we're acquiring additional licenses and so on. We planned everything with the help of the developer team. We follow the agile approach in our development, so everything was planned. User stories were created, and we just acted on them.

I participated in the review of tools. We reviewed not only Veracode. There were also other candidates for our main tool for static scan and software composition analysis. So, I have been involved in all activities around Veracode from the very beginning. What I liked about Veracode is that it is not just one product. It is a big ecosystem. It even has integration with Visual Studio, etc. First of all, we took a look at the scope of scanning. We compared the results of scanning and the functionality. Veracode had really great reporting functionality. In the end, we came up with the conclusion that Veracode fits best to our needs, and I believe we were right.

My advice would be to adopt Veracode to serve your processes. I believe that the processes inside the company shouldn't be changed significantly with the introduction of new tools. Definitely, for each and every new tool, you need to build some process around usage in terms of administration and control. Veracode has a relatively big ecosystem of tools, which is a big advantage, and my advice would be to check all those tools and see how they can fit into your process, and how they can improve them. There are a lot of options and a lot of tools provided by Veracode that can fit each and every process. Whether you are using a waterfall process or DevOps practices in your organization, with Veracode, you can add necessary steps to your process without making significant changes in the processes that you have.

We take security seriously, and Veracode is not the only thing that we have for security. We do manual penetration testing to security test our applications. We also have some dynamic scanning. We follow some practices while engineering and architecting our solutions. At each and every step, we are trying to cover our solution with the necessary security testing activities or security design principles. Veracode is a big part of our security, but it is not the only one. We are fixing all issues, especially those that are non-compliant with our policy.

We don't use any connections with Software Composition Analysis. It is a separate product in the ecosystem that makes it possible for you to deeply scan your third-party libraries. This is the only way we use it. 

In terms of Veracode SCA reducing our overall scan times, I believe that it is not applicable at this point. In the case of agent-based scanning, the situation that we recently had has shown that you cannot fully substitute Software Composition Analysis from a static scan with agent-based. That's because, in the end, documents that you provide together with the release are the policy scan results generated by static scan. You can reduce the amount of time for your scanning, but in the end, you need at least one scan where you will figure out all third-party states as a part of the policy scan report. You cannot use only agent-based Software Composition Analysis because they are two separate sources of information. We can use Software Composition Analysis and then somehow merge results from two sources in one document for it, which is inconvenient. We are having nightly builds for Veracode, and it doesn't matter to us whether it takes more than 30 minutes or less than 30 minutes. We haven't measured the time, but with the approach that we have set in our company, we can leave it for longer time periods, and after nightly build, everything is okay for us. So, Jenkins just does its job of uploading, and no one monitors it. We are just monitoring that the jobs are stable and results are available. Considering that we're doing it at night, it is not that important for us for how long it runs.

It hasn't exactly increased our fix rate because it is not about our code. It is about the third-party code. We definitely have to mitigate, and sometimes, we have to change libraries to a newer version, so it somehow affects our fix rate, but mostly, the static scan affects our fix rate because it shows flaws in our code. So, I don't see any significant improvement with Veracode Software Composition Analysis in terms of our fix rate. I don't see a direct relationship between Veracode Software Composition Analysis and our fix rate, whereas Static Analysis works and gives us the necessary results and plans for fixing and doing our next steps in security.

It has not yet helped our company with certification and audits. We haven't yet shared those green results with our customers, and we didn't have any certifications the last time.

I would rate Veracode Software Composition Analysis a nine out of 10.

The solution is used for performing application security processes like source code assessment, dynamic assessment, and SCA.

We sell the product to our customers. We are a vendor.

The SAST and DAST modules are great. The scanning part is also good. It’s pretty easy and convenient to use. Everything is described within the product. Almost everything is available in the community and the guidelines.

Veracode Greenlight scans the code while the developer writes it. It will be beneficial for developers if Veracode Greenlight includes Python.

I have been using the solution for almost one year.

The tool is stable.

The scalability of the product depends upon the pricing. The price is a bit high for a small company. It is suitable for a large company.

Support is very good. The support team resolves some issues within 24 hours.

Positive

I tried a few solutions before using Veracode. Veracode is better because it is convenient to use. The solution’s dashboard and features are pretty good. It is the topmost product among the other tools that I used. It is pretty simplified. Veracode has a lot of options to do authenticated scans. Veracode’s simplified features are helpful for people who use different authentication methodologies.

We are using the SaaS version of the solution. The initial deployment was pretty easy. The CI/CD pipeline has a lot of dependencies, like connecting with Jenkins and Jira. If we directly upload the code to the cloud, we can deploy the product within a single day. If we do it in the CI/CD pipeline, it will take some time.

One person can deploy the product. I haven’t had any maintenance-related issues with the solution. Whatever new vulnerabilities come, they are already updated in the database. Since we are a partner, it will be helpful if Veracode notifies us whenever it releases the vulnerability reports. We cannot always check the portal.

The product’s price is a bit higher compared to other solutions. However, the tool provides good vulnerability and database features. It is worth the money.

Veracode provides policy reporting to ensure compliance with industry standards and regulations. It is beneficial. The product also provides features to create custom policies. Most false-positives cases come under DAST. The false positives depend on the code. Veracode provides around 5% false positives.

The solution shows the vulnerabilities in the code and provides generic remediations for it. We must then search it on Google. The product’s community is also good. Sometimes, the product provides solutions in the community. These solutions work well on the production level.

I have also used the SCA features which help with identifying vulnerabilities in applications's third-party components. The Veracode user interface is so convenient and easy to use. Anyone can run a scan and generate a report easily.

The solution provides absolute visibility into application status at every phase of development. The users can get visibility through the CI/CD pipeline. The time taken to complete the scans depends on how much code is present in a specific application and how big the application is.

Veracode introduced a new module named Veracode Fix, which automates the fixes for insecure software with AI-generated secure code suggestions where the developer does not have to spend time searching and remediating the vulnerabilities. The developer does not have to spend time searching for vulnerabilities. Sometimes, the tool gives a generic recommendation, sometimes specific recommendations. It will be helpful if it always provides specific recommendations. The amount of time saved hinges on factors such as code complexity, the programming language employed, and the developer's proficiency in secure coding. If anyone uses Veracode throughout the entire process of building an application, from the start of development to the final production stage, can result in a time savings of around 30% to 40% when leveraging various security measures of the platform.

Veracode has had a good impact on our organization’s overall security posture. If we choose to take the complete Veracode module, we can have security from the initial step to the production phase. 

I will recommend others to implement the solution. Veracode is in the Gartner Magic Quadrant. It is doing a good job.

Overall, I rate the product a nine out of ten.

We use Veracode for its code analysis features, which include static code analysis, dynamic code analysis, and checking for security flaws in our code. Mainly, we utilize Veracode for application security, making code security one of our primary use cases.

Since implementing Veracode, we have seen significant improvements in our code's security and the overall code development process. Veracode has been instrumental in enhancing our code security and streamlining the development workflow. In the past, we relied heavily on third-party applications that were not directly aligned with our codebase. However, now we can seamlessly integrate Veracode into our application process, saving a substantial amount of time. Veracode has not only improved our security setup but also enhanced the overall security of our organization.

Before implementing Veracode, the same process that used to take one hour now only takes 15 to 20 minutes.

Veracode's policy reporting for insurance compliance with industry standards and regulations is good. We can integrate numerous reports, and the positive reporting feature is also highly commendable.

Veracode provides visibility into the application's status at every phase of development.

Veracode works very well overall, and our security has been greatly improved, significantly impacting our ability to fix flaws.

The security process has been improved. Before using Veracode, we used to perform it manually. However, at that time, there was no application that could be integrated with the code. Now, with Veracode, we can directly integrate it with our code. As a result, security checks are being done automatically, saving us 30 to 40 percent of our time.

Veracode offers various security features. Veracode performs the analysis using three different methods: static analysis, dynamic analysis, and software composition analysis. These security features are the best, and the most valuable features.

Veracode's ability to prevent vulnerable code from going into production is commendable. However, we have encountered numerous cases of false positives that need improvement.

The technical support service has room for improvement. There are times when we rely on them, but we are not receiving an adequate response.

The stability has room for improvement.

I have been using Veracode for one and a half years.

Veracode is stable, but there is room for improvement.

Veracode is highly scalable. We have not had any issues with scalability. 

Before I joined my organization, they used a third-party application to check code. Since I joined, we have been using Veracode.

The initial setup was somewhat complex. The deployment took a couple of weeks because we needed to resolve numerous technical issues that we had to understand first. We had six people involved in the deployment.

Veracode's price is reasonable.

I would rate Veracode an eight out of ten. I recommend Veracode to others.

Veracode's false positives significantly impact our developers. When we encounter numerous false positive cases, we are required to conduct extensive reviews. How much it affects our developers depends on the number of false positive cases we are encountering and the significance of addressing them concerning the criticality of writing the code.

Veracode can save time in our DevSecOps process, but it may not significantly reduce costs.

Organizations that have security flaws in their code and seek to enhance their core security can consider Veracode as one of the best options for investment. Veracode is easy to implement and can effectively address the flaws in the code, provided that cost is not a significant concern.

Maintenance is required from time to time, specifically regarding false positives. We need to verify whether the system is functioning properly and communicate with the support team. The intervals for these checks occur after approximately 30 or 60 days, which we have selected, and we must strive to improve the system during these instances.

Veracode is deployed at two locations within our organization.

We have multiple verticals and products, and we use Veracode to perform static analysis on our hosted applications across all the platforms. We also perform static and software composition analysis on a couple of products.

Our offices are spread out across North America, South America, Europe, and Cyprus. We also have offices in Australia that use the solution. About 25 to 30 people use the solution regularly. 

Veracode has greatly improved the security posture of our applications because we can identify and mitigate vulnerabilities that we couldn't have without the solution. Veracode provides compliance reporting so we can identify issues without having to rely on complaints. Veracode has been extremely effective at fixing flaws in our applications. We have multiple applications across multiple verticals

Veracode or any other solution like it doesn't prevent anything. The product provides insight into the vulnerabilities, but it's up to the end-user to mitigate that and move it into production. If we fail to remedy the issue and move the code into production, it isn't Veracode's failure. We can't judge the product based on whether it could do that. The product is doing what it should be doing.

In addition to dynamic and static analysis, we can perform software composition analysis, which involves going into the various libraries to retrieve details about that. We see a few false positives in Veracode but not many. It's negligible. 

Veracode has saved our developers time by identifying and reporting flaws. The developers don't need to spend time checking the code by hand. It reduces the time spent on these tasks by about 10 to 20 percent. 

I believe the static analysis is Veracode's best and most valuable feature. Software composition analysis is a feature that most people don't use, and we don't use SCA for most of our applications. However, this is an essential feature because it provides insight into the third-party libraries we use.

We have some constraints interacting with Veracode self-support. I'm not talking about their technical support. I'm talking about self-support. We sometimes have a hard time communicating with them.

I have used Veracode for the last five or six years, but the company has used it for nearly 10. 

Veracode is a highly stable product.

I haven't had a scenario where we've had to scale it.

I rate Veracode technical support nine out of 10. They are excellent. When we have problems, they provide a solution every time. 

Positive

We had been using a third-party service for vulnerability checking. 

The deployment is a little complex. There is a small learning curve, but it isn't too difficult. The installation isn't hard, but we need to configure the dynamic analysis where it connects to a hosted application and performs checks. We have to configure the console and set a schedule. It takes a couple of hours to configure a new application.

We have been able to mitigate lots of flaws and vulnerabilities, so Veracode has had a positive effect on our products. It's hard for me to quantify. Our company has a large footprint across Asia, North America, South America, and Europe. 

Veracode is fairly priced. 

I rate Veracode eight out of 10. I would recommend Veracode to other users. However, I suggest doing a proof of concept before moving forward with any solution. 

We use Veracode for static code analysis scans for our clients.

Veracode is deployed both on the cloud and on-premises.

Veracode helps prevent vulnerable code from being deployed into production by identifying problematic code. It enables us to send a report to the application developer, allowing them to address the vulnerabilities based on their criticality level. The developers are given six months to address medium-level issues and three months for critical ones. If the criteria are not mapped with the higher critical alerts present in those applications, we can enforce the build field and proceed without deploying it into production.

Veracode has helped improve our customers' organizations through the scanning taskbar, which identifies vulnerabilities in code. We have worked with ten clients, all of whom used Veracode to identify vulnerable code early in the development stage and resolve the issues. Additionally, Veracode offers Greenlight ID, which developers can integrate into their development process, providing clarity during the development phase. Veracode can also generate reports that developers can resolve, facilitating the quick resolution of security concerns.

The policy reporting for ensuring compliance with industry standards is excellent. The report helps us maintain our compliance.

It offers visibility into the application's status at every phase of development, including static analysis, dynamic analysis, composition analysis, and manual penetration testing throughout the Software Development Life Cycle.

Visibility aids the DevSecOps process by offering a clear framework for all involved departments, including the steps for handling severities.

Veracode assists our clients in addressing flaws by simplifying the process. The security team can review the code, approve or reject it, and developers can utilize the reports to promptly rectify the flaws.

It assists developers in saving approximately 20 percent of their time, primarily in the static part, as they no longer need to review all the code. Regarding the dynamic part, Veracode scans all the URLs, eliminating the necessity for developers to use additional tools. For third-party dependencies, developers depend on the reports and the Greenlight ID plug-in to streamline their workflow and save time.

Our clients depend on Veracode to improve their security stance.  

The CI/CD integration is the most valuable feature of Veracode. This feature is not present in other solutions.

The analytics dashboard is not user-friendly and can be improved to assist us with the application size and enable modifications, whether for static or dynamic scans. This is currently missing in Veracode.

Veracode needs to improve its integration with other tools.

We have requested an enhancement for Veracode because it does not support scanning the static and dynamic elements of code created by MuleSoft. Furthermore, it does not support these aspects for the new generation of applications and we have to use other tools.

I have been using Veracode for over seven years.

If there is an issue, I am unable to access all the logs due to insufficient permissions, which causes delays.

Veracode is scalable. To increase the scale, we simply need to increase the number of licenses.

The technical support team's response time is inadequate. Typically, they fail to provide assistance beyond the initial call due to the limited knowledge and inability of the first-level support to resolve issues effectively. I have been dealing with a single issue for three weeks without any resolution.

Neutral

The vendor handles the deployment, and we simply need to install the ISM agents on our network. The deployment time depends on the size of the application. Large applications may take up to five days to scan, but on average, it takes one or two days.

The pricing depends on the functionality each client desires. For example, one of our clients only wishes to scan two applications, so they pay for that specific service in addition to our organization's third-party access to their system.

I give Veracode an eight out of ten.

20 to 30 percent of the false positive rates are vulnerabilities. Sometimes, almost 50 percent of the reports are false positives, which affects the time spent on tuning policies.

The false positives increase the amount of time our developers need to spend investigating the reports. 

Veracode offers static analysis, dynamic analysis, and composition analysis all in one place.

We are a team of five individuals who assist in deploying and managing Veracode, along with handling other tasks.

Our client base varies depending on their budgets, but we serve a large number of organizations in the financial industry.

I recommend Veracode. The solution is on par with the others, and organizations can read the reviews and run some tests before making a purchase.

Our primary use cases are uploading and assigning scans, uploading compiled codes into the sandboxes, and searching marks to determine whether scans have been completed.

We have multiple locations, teams, and endpoints; we're a worldwide telecommunications company with over 2000 internal and external apps. Some apps communicate from the outside to the inside, but every app goes through Veracode.

We have to scan about 2000 apps, and we're already at 366 scanned within the year's first two months. Additionally, the company has been using Veracode for years; both are testaments to the solution's efficiency.

The platform provides visibility into application status at every phase of the development- Veracode Static Analysis, Dynamic Analysis, Software Composition Analysis, and Manual Penetration Testing throughout our SDLC. In terms of DevSecOps processes, the solution makes them quicker and smoother, with less confusion.   

Veracode positively affects our organization's ability to fix flaws; we have a particular app at the moment that failed the scan twice due to its vulnerabilities. Without the solution, we likely wouldn't get that.

The solution has positively affected our organization's overall security posture and will continue to improve it. 

I like the sandbox, the ability to upload compiled code, and how easy it is.

It's also straightforward to find scans we've uploaded. 

The solution's ability to prevent vulnerable code from going into production is incredible. I have done several consultations and remediation calls with the app team, and Veracode catches almost everything. It picks up the same issues in everything we scan, and we've done a lot of retests that way; the tool is very proficient in this area.  

Veracode helps our developers save time; it's a straightforward product that shows us the vulnerabilities and allows us to relay them back to the developers. This is faster and more efficient than staff going through the code manually. The solution is like having a proofreading app for our code rather than using a proofreader.  

The sandbox could use some improvement; when creating a sandbox, it requires us to put the application name in twice, which seems unnecessary.

We've been using the solution for a month and a half. 

Veracode is very stable; unlike many programs and apps, I've never had a problem with it.

The solution is scalable; we're a global telecom company, and we use it to scan every one of our over 2000 apps. 

The technical support is excellent. 

Positive

I'm unfamiliar with the solution's pricing, but it must be worth the cost from a company perspective, as we have been using it for years and have no plans to move away from it.

The product was in place long before I arrived at the company, so I don't know if they evaluated other options.

I rate the solution 10 out of 10. 

I recommend Veracode to any company looking for this type of platform. Though I need to become more familiar with competitor products, I like going into programs and clicking around. Even if I don't initially understand something within Veracode, I can keep going and make sense of it. I updated my resume to include my new experience with the solution.

Veracode reduced the cost of DevSecOps for our organization; we upload a scan, run the test, get the vulnerabilities, and set up a remediation meeting. This makes communication more manageable, and the information is more visible, as all our staff can access the scan results. In several instances, we've consulted with employees from the Veracode side, and they've been very helpful in walking our app team and testers through whatever vulnerabilities we've had issues with.  

Software Composition Analysis (SCA) is used to detect vulnerabilities in open source libraries, which are used by our customers for their own product. 

We are a consulting company who provides consulting services to clients. We don't buy the software for our own internal use. However, we advise customers about which solutions will fit their environment.

Most of our clients use SCA for cloud applications. 

For application security, the SCA product from Veracode is a good solution. It has a good balance. Altogether, the balance between the outcome of the tool, the speed of the tool, and its cost make it a good choice. 

One of the reasons why we recommend Veracode because it is very important in that SAST and SCA tools, independently from the vendor, should work seamlessly within the build pipeline. Veracode does a good job in this respect.

In this day and age, all software is developed using a large amount of open source libraries. It is kind of unavoidable. Any product application has a lot of embedded libraries. In our experience, many times customers don't realize that it is not just a code that can be vulnerable, but also an open source library that they may take for granted. In many ways, this has been a learning experience for the customers to understand that there are other components to open source libraries, and that SCA is an invaluable tool to address those issues.

SCA provides guidance for fixing vulnerabilities. It provides extensive guidance for both writing secure code and pointing to vulnerable open source libraries are being used.

From the time it takes for the solution to detect a vulnerability, both in the source code and the open source library, it is efficient. 

Within SCA, there is an extremely valuable feature called vulnerable methods. It is able to determine within a vulnerable library which methods are vulnerable. That is very valuable, because in the vast majority of cases where a library is vulnerable, none of the vulnerable methods are actually used by the code. So, if we want to prioritize the way open source libraries are updated when a library is found vulnerable, then we want to prioritize the libraries which have vulnerable methods used within the code. 

The Static Analysis Pipeline Scan is faster than the traditional scan that Veracode has. All Veracode products are fast. I have no complaints. On average, a piece of code for a customer takes 15 to 20 minutes to build versus the Static Analysis Pipeline Scan of Veracode that takes three or four minutes. So, that is 20 to 30 percent of the total time, which is fairly fast.

Most of our time is spent configuring the SAST and SCA tools. I would consider that one of the weak points of the product. Otherwise, once the product is set up on the computer, it is fairly fast.

Like many tools, Veracode has a good number of false positives. However, there are no tools at this point in the market that they can understand the scope of an application. For example, if I have an application with only internal APIs and no UI, Veracode can detect that. It might detect that the HTML bodies of the requests are not sanitized, so it would then be prone to cross-site injections and SQL injections. But, in reality, that is a false positive. It will be almost impossible for a tool to understand the scope unless we start using machine learning and AI. So, it's inevitable at this point that there are false positives. Obviously, that doesn't make the developers happy, but I don't think there is another way around this, but it is not just because of Veracode. It's just the nature of the problem, which cannot be solved with current technologies. 

Once we explain to the developers why there are false positives, they understand. In Veracode, embedded features (where there are false positives) can be flagged as such. So, next time that they run the same scan, the same "vulnerability" will be still flagged as a false positive. Therefore, it's not that bad from that point of view.

Veracode has a few shortcomings in terms of how they handle certain components of the UI. For example, in the case of the false positive, it would be highly desirable if the false positive don't show up again on the UI, instead still showing up for any subsequent scan as a false positive. There is a little bit of cluttering that could be avoided. However, that is not necessarily a shortcoming of the product. I think it's more of a shortcoming of the UI. It's just the way it's visualized. However, going forward, I personally don't want to see any more vulnerabilities that I already flagged as a false positive.

It does take some time to understand the way the product works and be able to configure it properly. Veracode is aware of that. Because the SCA tools are actually a company that they acquired, SourceClear, the SCA tool and SAST tool are not completely integrated at this point. You are still dealing with two separate products, which can cause some headaches. I did have a conversation with the Veracode development team not too long ago where I voiced my concerns. They acknowledged that they're working on this and are aware of it. Developers have limited amounts of time dedicated to learning how to use a tool. So, they need quite a bit of help, especially when we're talking about this type of integration between the SAST and SCA. I would really like to see better integration between the SAST and SCA.

I have been using it for almost a year.

It is stable. One of the selling points is that it is a cloud solution. The maintenance is more about integrating Veracode into the pipeline. There is a first-time effort, then you can pretty much reproduce the same pipeline code for all the development teams. At that point, once everything runs in the pipeline, I think the maintenance is minimal.

We have deployed the solution to FinTech or technology medium-sized companies with more than 100 employees.

Their technical support is less than stellar. They have essentially two tiers: the technical support and the consulting support. With the consulting support, you have the opportunity to talk to people who have intimate knowledge of the product, but this usually takes a bit of effort so customers still like to go through the initial technical support that is less than stellar. We rarely get an answer from the technical support. They seem a lot more like they are the first line of defense or help. But, in reality, they are not very helpful. Until we get to the second level, we can't accomplish anything. This is another complaint that I have brought up to Veracode.

One of the reasons why we decided on Veracode is because they have an integrated solution of SAST and SCA within the same platform. Instead of relying upon two different, separate products, the attraction of using a Veracode was that we could use one platform to cover SAST and SCA. 

The SAST tool is pretty straightforward; there is very little complexity. The pipeline works very well. The SCA tool is more complex to set up, and it doesn't integrate very well with the SAST tool. At the end of the day, you have essentially two separate products with two separate setups. Also, you have two different reports because the report integration is not quite there. However, I'm hopeful that they are going to fix that soon. They acquired SourceClear less than two years ago, so they are still going through growing pains of integrating these two products.

The setting up of the pipeline is fairly straightforward. It works a lot of the main languages, like Java, Python, etc. We have deployed it across several development teams. Once we create a pipeline and hand the code to the developers, they have been able to make a little adjustment here or there, then it worked.

For both SCA and SAST tools, including documentation, providing the code, writing the code for the pipeline, and giving some training to the developers, a deployment can take us close to two weeks. 

Deploying automated process tools, like Veracode, Qualys, and Checkmarx, does take more effort than uploading the code manually each time.

As long as developers use the tool and Veracode consistently, that can reduce the cost of penetration testing.

Checkmarx is a very good solution and probably a better solution than Veracode, but it costs four times as much as Veracode. You need an entire team to maintain Checkmarx. You also need on-premise servers. So, it is a solution more for an enterprise customer. If you have a small- to medium-sized company, Checkmarx is very hard to use, because it takes so many resources. From this point of view, I would certainly recommend for now, Veracode for small- to medium-sized businesses. 

Compared to other similar products, the licensing and pricing are definitely competitive. If you see Checkmarx as the market leader, then we are talking about Veracode being a fraction of the cost. You also have to consider your hidden costs: you need a team to maintain it, a server, and resources. From that point of view, Veracode is great because the cost is really a fraction of many competitors. 

Veracode provides a very good balance between a working solution and cost.

There are other products in the market. However, some of those products are extremely expensive or require a larger team to support them. Often, they have to be installed on-prem. Veracode is a bit more appealing for our organizations who don't have larger AppSec teams or where budget is a constraint. In this respect, SCA is a good solution.

We have been using Checkmarx for years, but mainly for their on-prem solution. They do have an offering in the cloud, but we haven't done any side-by-side tests in respect to speed. We did do a side-by-side comparison between Veracode and Checkmarx two or three years ago from a technical ability standpoint. At that time, Checkmarx came in a bit ahead of Veracode.

Checkmarx is more complex to set up because it is on-prem with multiple servers as well as there are a lot of things going up. If you have a larger budget and team, look into Checkmarx because it is a market leader. However, when it comes to a price, I would choose Veracode for a smaller company, not a large enterprise. 

Another consideration for Checkmarx, as an on-prem solution, is that you are pretty much ascertained that your code doesn't leave your company. With companies like Veracode, even if they are saying that you only upload the binary code, that's not quite true. The binary code can be reverse-engineered and the source code can be essentially reconstructed. For example, Veracode would not be suitable for a government agency or a government consultancy. 

For DAST, our customers like to use Qualys Web Application Scanning. There are very few players out there that can test APIs, but Qualys is one of them. 

Another promising solution that allows for testing APIs is Wallarm. We have done a couple of PoCs with them.

We tested Black Duck a few years ago, but they only had a SCA solution. They didn't have a SAST solution. I think they do now have a SAST solution because they acquired another company, Fujita.

I don't think that Veracode has helped developers with security training, but it helps developers have a reality check on the code that they write and their open source library. That is the best value that developers can get from the product. 

Veracode products can be run as part of the development pipeline. That is also valuable.

It integrates with tools like GitHub or Jenkins. At a high level, it does integrate with most of the pipeline of tools. It would be a showstopper if the incorporation of security was not in the developer workflows. We are past a time when developers or software engineers run a SCA or DAST scan on the code, then hand it off to the development team. What works instead is to inject a security tool in a development pipeline, which is why it is absolutely paramount and important that tools, like Veracode, be a part of the build pipeline.

We limited the user to SAST and SCA. We haven't used any of the penetration testing, especially for the DAST solution that they have. For that, they are behind the curve, meaning that there are other products in the market that are being established. In my opinion, they don't have a viable product for DAST, because I believe they are not even testing APIs. So, it's not mature enough. We also have never used their pen testing because that is one of the services that we provide.

At this point, Veracode is one of the best solutions available, though it's not perfect by any means, but you have to work with whatever you have.

I will give the solution a seven (out of 10). When they integrate the SCA and SAST portions more tightly together, I could probably bump it up to an eight. Also, if they make improvements to the UI and the support, they can get a better rating. However, at this point, I would still pick Veracode for a company who doesn't have a million dollar plus budget.

Our primary use case of this solution is for static and dynamic analysis along with the source gear for the third party dependency (not IDM). 

We were looking into actually moving towards IDM, but that's the extent of my knowledge. They are licensed as two separate products. They're part of the same platform, but they are licensed separately.

We have Veracode, Veracode Developer Training, Veracode Software Composition Analysis, and SourceClear. SourceClear and SCA are pretty much the same. They just support different languages. Veracode as a whole, the top option, is the one that includes everything.

We are using the Veracode tools to expose the engineers to the security vulnerabilities that were introduced with the new features, i.e. a lot faster or sooner in the development life cycle. We rely on this set of tools to automatically scan our artifacts when they are moving to different environments. 

We got it to the point that when we were promoting the artifacts from desktop to the server environment, we already had the scans completed. We knew the vulnerabilities that we were introducing with the new features ahead of time, i.e. before the QA department was finding them. That was the main reason we decided to use Veracode or to use tools for static analysis and dynamic analysis.

With Veracode, it's not about features for us. It is about the pricing model that they offer. To be honest, with their vulnerability database, the total amount of false positives that we're getting is very low. 

That's the main reason we use Veracode over anybody else. New Veracode features could include a very big database of actual vulnerabilities to be better than other products.

Veracode owns SourceClear. They bought them in 2017 or 2018, and they still are not fully integrated with the actual Veracode dashboards. Right now, you have to use two separate tools from the same company. One for the static analysis and dynamic analysis, then the second one for the third-party dependency. 

That is an area that they need to improve the service. Veracode needs to bring the second tool in already to the dashboard so that we don't have to use two separate logins. We don't want two different sets of jobs that we have to upload into two different places, etc. Veracode also needs better integration of their tools to each other.

Veracode should make it easier to navigate between the solutions that they offer, i.e. between dynamic, static, and the source code analysis. The SCA feature is on the website. Veracode should integrate SourceClear with the company product line finally after two years. I would love to see that. 

Veracode did not previously support Python 3. They just released the support for Python 3. Keeping updates coming quicker would be the main thing that I would love to see, i.e. to have all these solutions better integrated.

We have been using Veracode as a solution for almost two years.

It's a very stable solution.

Scalability is the main issue with Veracode. For my company, the outlier is out there, but when it comes to scalability, we had issues with automatically scanning springboard artifacts. If you scan the artifacts, they want the artifacts to be packaged in a specific way. This is very well documented on the website but it's not the way we're doing business. 

The workaround was taking the build that was getting put together by Jenkins and moved through the environment. We had to make a separate one, packaged differently just for the tools to work. For the scans to work, if that makes sense. Maybe we are just weird in the way we package our artifacts but maybe many are having the same issue.

We have about 200 engineers that have user roles in the solution. There are different roles. We have security administrators. We have team leads. We have managers. Their roles are all very well put together. Each team has a manager that has access to more features than the rest of his team. They can create things, delete things, compared to the regular guys that can only see the reports. It's very well structured, from that standpoint.

Theoretically, everything is integrated with Jenkins, so the staff depends from one application to another, i.e. three people or eight people from our side. From their end, in our pricing model, we have access directly to an account manager. They have a team of engineers that usually help us if we encounter any issues. It's very extensive in use. We have about 80 services and applications going through using the scanning solutions that Veracode has and we are scaling up.

The solution's technical support is absolutely fantastic and very fast. Veracode has very fast resolution and response times. Usually, when we have an issue, it's only a few hours before we get an answer from them.

Another time, the Veracode integration wasn't working and in about 3 days we came up with a solution to our problem. At the high level, the beginning of the conversation with Veracode tech support is pretty fast. It's only a few hours. 

Coming up with a solution takes two to three days at the most with Veracode. We pay a lot of money for that. You get what you pay for.

We never did use other products. The reason we started looking into IBM and WhiteSource was because of the hiccups or the speed bumps we were encountering with our springboard artifacts. We were in the process of evaluating other products and I think it's still a valid option. I wouldn't advertise it, but we were in the process of changing from Veracode just because of that one particular issue.

We had to build our artifacts differently than before just to scan them, i.e. instead of scanning the ones we were publishing. It's not a big deal overall, but it would be nice for the solution to work out of the box with everything that's out there. Instead, many companies are changing the way they're doing business just for this small little step in the delivery process.

I was not involved with the initial setup. When we were uploading new applications to their solutions it was very straightforward. Their documentation is really good and very detailed.

In the worst case scenario, if the implementation engineer just runs through the material, you can go on the website for resources. The way they have everything documented is very good. Veracode is very well documented.

I do not have any information on ROI. We became better from an engineering standpoint, but I don't know if we saved a ton of money in the process.

They just changed their pricing model two weeks ago. They went from a per-app license to a per-megabyte license. I know that the dynamic scan was $500 per app. Static analysis was about $4500 yearly. The license is only for the number of users, it doesn't matter what data you put in there. That was the old model. I do not know how the new model works. 

We are in negotiations with Veracode. The old model was about $500 for dynamic analysis and about $4500 for the static analysis, per app or service, per year.

Veracode offers a lot of other license options that you can put on top of what we just discussed, but I don't think we ever looked into any of those. The way we implemented it was very straightforward. You have your app and you pay this much for both dynamic and static licensing. That's all we cared about per year. 

We looked at IBM before we decided to go with Veracode. I've seen the documentation that our director of information security put together. 

We looked at six different solutions before we went with Veracode. Another company does their pricing model based on lines of code. WhiteSource was one other option we evaluated.

We did review a few of them. IBM App Scan and WhiteSource were definitely on the list. I don't remember the rest of them.

If the springboard issue doesn't hold them back and the pricing model stays the same as the one that we have right now for this year with them, it's a good deal. Veracode is pretty straightforward to use and the support is really good. We don't have a lot of complaints about that. 

I don't know how the pricing model is going to change the actual price of the application. On a per license basis, Veracode has a very lucrative way of doing business. I don't think a big company that has a lot of services and applications would enjoy paying upwards of $200,000 per year to scan all their code. 

Prospective customers should look at how the pricing model affects them, especially if they are in the microservice type of architecture or if they are moving towards something like that.

I would rate Veracode an eight out of ten just based on the experience that we had the past two years. The reason it's not ten is because of the ways these tools integrate. 

That rating is at risk of becoming a seven now with the pricing model changing. Veracode is probably not going to be that attractive anymore compared to other competitors. We knew other competitors were more expensive. The reason that we didn't go with them was that Veracode was very straightforward.