Veracode Reviews

Veracode helps scan applications for security purposes to ensure they are safe before deployment. The solution is continuously monitoring the security of our infrastructure and workflows. About five people use the solution across our organization. 

Our security posture has improved since we implemented Veracode because our developers have a better understanding of the security risks that may arise due to some actions we take on various projects and tasks. We're more aware of how vulnerabilities can be introduced into our daily work. 

Veracode has reduced the amount we spend to remedy security risks by about 60 percent. Security testing is much easier than before. The time needed to address vulnerabilities can affect the workflows and lead to late delivery of our services across customers. It has helped us to mitigate risks by effectively monitoring workflows. The conditional scanning procedures we previously used have been replaced by modern systematic algorithms.

Veracode saves time and costs because it's flexible in terms of an organization's data requirements. It can provide data intelligence from various work platforms and guidance on the best practices for security mitigation so we can safeguard our data in various work processes.

The solution enables us to establish a strategic policy management infrastructure to monitor the performance of each application periodically and report on the security performance. The dynamic analysis gives us feedback from time to time and performance metrics inside the program interface. 

This platform is one of the most efficient and effective tools for upgrading applications to meet an organization's performance standards and policies. It helps us improve our development because sometimes the coding procedure might not reflect the latest threats. 

Veracode's most valuable aspect is continuous integration. It helps us integrate with other applications so that it can monitor the security process. By continuously scanning our applications, we can mitigate risks that may arise in some workflows. It streamlines compliance, policy management, and reporting on various data analytics. We use it daily to gain insight into our work processes.

The solution is built into our SecOps program. It offers modern policy management, essential support, and analytics features. It's efficient with fast and powerful risk-mitigation tools.

I think Veracode could integrate some advanced technologies to better address new threats as they arise. 

We have used Veracode for about a year.

Veracode has been a stable product. We've had some downtime, but it has performed well overall. 

I rate Veracode support a nine out of ten. Veracode's support team has always been helpful. When we contact them by phone or online chat, they respond quickly with a solution within the time frame established in our support contract.  

Deploying Veracode was straightforward, and we had help from the vendor's support team. Our deployment team has six members, and the whole process took about three weeks. 

After deployment, the product requires some maintenance. We sometimes face some networking challenges that require repairs, and we need to periodically update some tools.

Veracode is a good investment, and I can recommend it to anyone who is looking for the best security tester. I estimate that we saw a 60 percent ROI this year, and it continues.

Veracode is a little costly. It's cost-effective for a large enterprise, but it may be too expensive for small businesses. 

I rate Veracode an eight out of ten. I would recommend it to others who need to do testing for application performance or security and risk management. 

The most important purpose of this platform is code security. We are able to scan our code and find security flaws.

Veracode has saved us a lot of time because we have been able to reduce manual processes. We are able to do most things automatically with the platform. It has saved us between 30 and 40 percent of our time.

The main feature, and one of the most important, is the static code analysis. We are able to complete an analysis of the security flaws with this platform. It's very good at helping us find and fix flaws.

The sandbox environment is also one of the features we are using as well as integration with our CICD pipeline, which is very useful. The product is pretty easy to understand, which is quite good.

The policy reporting for ensuring compliance with industry standards and regulations also helps us a lot.

It gives us visibility into application status at every phase. We have definitely seen an improvement in that regard.

I'm pretty new to this platform. I'm going with a trial right now and have been using it for about a month. We have spent most of our time analyzing the code.

It's a stable product.

It is also very scalable.

The support team could be more responsive, and the dependency of users on the support team is too high and should be reduced.

Neutral

This is the first such tool we are using.

The initial deployment was not very complex. It took us around 15 days because we were trying to understand the policies and many other things. Our team has 15 people and everyone was involved in making some decisions regarding the solution.

We have only needed help with the product itself. That's what we have reached out to their team for. But there hasn't been any maintenance of the product for us.

The pricing is a bit high. Although we are in a trial phase, if we are going to make the decision to purchase the software, the pricing is going to be high for us.

We are able to justify the false positives because security flaws are one of the biggest things that Veracode's features help us with.

Overall, the product is good. It has made a very good impression. There are some flaws, as I have mentioned, but overall it looks very good, with the features I've mentioned. The impact on our security has been good. The main challenge for us will be the pricing, but if we ignore that factor, the impact has been very good and we would definitely implement Veracode.

I would suggest having a look at Veracode. Go for a trial of the system to see if Veracode is something that can help solve your problems. Pricing should be ignored because there are definitely some very specific features that help a lot. 

We are developers who utilize Veracode for the static and dynamic scanning of our applications.

Veracode provides both us and our customers with confidence that our applications do not have any issues by helping to prevent any vulnerable code from being deployed in production.

Veracode has helped us improve the way we conduct static and dynamic code testing in our organization. Based on the reports we receive, we can quickly identify what needs to be fixed immediately after the scan. For minor issues, we are given time to address them after moving into production, but for major issues, the application is unable to enter the production phase.

We utilize Veracode for static and dynamic code scanning in our software configuration and lifecycle management. It is integrated as part of our pipeline, allowing the code to be automatically scanned in the background. This enables us to review the reports promptly.

The information provided by Veracode enables us to easily rectify vulnerabilities in the workflow.

Veracode can help our developers save time, depending on the issue and the age of the application.

Veracode saves time by automating the basic tasks that were previously performed manually.

Veracode has had a positive impact on our security stance and has empowered our customers to confidently migrate their applications to the cloud.

The static scan and the detailed reports, which include issue information and permissions, are the most valuable features.

Veracode does not support scans for .NET Blazor server applications. We encounter errors whenever attempting a scan. I would appreciate it if Veracode could incorporate support for these applications.

I would like Veracode to offer code support for the latest releases of .NET whenever they are released by Microsoft.

I have been using Veracode for over one year.

Veracode is stable.

The technical support is helpful, but they operate on their own schedule, so in certain instances, we have to endure a considerable wait for a resolution.

Neutral

I give Veracode an eight out of ten.

Our customer provides us with a Veracode profile account for uploading and testing code. We do not manage the solution or have any insight into how it is deployed.

I highly recommend Veracode for assisting in identifying vulnerabilities in code.

I have learned that Veracode can confidently scan and detect vulnerabilities in code. However, for older or unsupported applications, we need to seek an alternative solution.

I have implemented Veracode for both static and dynamic analysis to minimize errors in my application and avoid the need for manual reviews. This enables us to create a risk-free application in the code. Additionally, I utilize external libraries and licensing to accelerate the process of identifying vulnerabilities in my software development. This helps me and the development team to provide comprehensive information about the code.

Veracode's capability to prevent the deployment of vulnerable code is impressive. It allows for quick detection of defects during the development cycle, leading to faster release of improved code, and ultimately ensuring that our product is free of vulnerabilities. This feature is a great advantage for our organization.

SBOM is beneficial as it enables us to verify software licensing through static scanning. This helps ensure that the product we provide in the market is compliant with industry standards and user needs. In my opinion, this is a fantastic feature.

Creating a report is easy when using a sample template that we can relate to. If we know what kind of data we want to include and how we want it to be presented, the process of creating a report can be completed quickly.

The main advantage of using Veracode is the assurance that we are developing stable, secure, and fast solutions that are free of risks. This provides us with a clear picture of our progress toward our goals. Veracode helps our developers by providing remedial action and reports in various formats, ranging from summary to detailed. This allows us to customize our reports and share visually appealing reports with the team.

Having visibility into the status of our applications at every phase of development throughout the software development cycle enhances our DevOps productivity and ensures a stable solution.

The false positive rate is valuable. The benefit is that the false positive results provide our developers with a clear understanding of their proficiency level in development. However, the drawback is that during fast penetration or testing, they may receive alerts that can cause frustration. Additionally, if they perform another test, the previous alert may not appear again, making it difficult to address the issue. Overall, I believe that false positives can boost our developers' confidence in their abilities to a certain degree.

The false positives identified through static analysis have been beneficial in saving us time. Due to our use of advanced tools and record-keeping practices, we have been able to streamline processes such as data importing, which may have otherwise required local or manual methods. This has resulted in significant cost and time savings for our team. With the ability to work remotely using tools like Veracode, we are able to provide effective reporting and management for all software applications.

Veracode has been a time-saver for our developers by enabling those with different programming languages and skills to collaborate and develop stable solutions together. As a result, we are able to save some time.

Our overall security posture has been positively impacted by Veracode. We are confident that our solutions are highly secure for our clients and stakeholders. With Veracode's assistance, we ensure that our applications and software are free from bad code and other vulnerabilities. By troubleshooting alerts, we prevent abnormal codes from reaching production, creating stable and secure solutions. Veracode helps ensure social sustainability during the UAT process before we release the final product to consumers, resulting in a highly secure end product. Veracode has enabled us to offer a stable and trusted solution that fosters transparency between our company and the end-users, supporting their needs and activities.

Veracode reduced the cost of our DevSecOps by allowing us to use a single tool that can be operated by a small team of developers. We saved around $1,500 USD using Veracode.

I believe that testing code early on is always beneficial, and using UI saves time by detecting issues in the flow before the release cycle through verification scanning. Additionally, I appreciate the integration provided by Veracode that seamlessly integrates with our CI/CD tools and allows us to integrate with IPA as well. Overall, I'm impressed with the integration and user interface.

Veracode can be slow at times and has room for improvement, which may cause delays in our products and prolonged static scans. However, we can run these scans in the background to minimize disruptions. Static scanning can be a slow process that requires some time.

The cost and scalability also have room for improvement.

I have been using the solution for three years.

Veracode has no downtime and is highly stable.

The scalability is neutral because it lacks some integration. We have 12 end-users within our software and engineering departments.

The technical support is responsive and helps us resolve our issues quickly.

Positive

The initial setup is straightforward. I deployed the solution myself.

The implementation was completed in-house.

Veracode assists us in increasing our sales by allowing us to redirect the funds that would have been used to pay our ex-pats to troubleshoot errors or issues with vulnerable code. Consequently, we are experiencing a higher return on investment, and our company has generated over 55 percent return on investment since implementing Veracode.

The pricing for Veracode is high, making it difficult for beginners to afford. Whether or not Veracode is a viable option may depend on the specific needs and use cases of the user, as it may not be affordable for small businesses.

Veracode is costly, which makes it unsuitable for small organizations. However, if an organization has the budget for the solution, it is worth investing in.

I give the solution a seven out of ten.

I believe that it is a wise decision to test our code to ensure its security. Utilizing Veracode is a beneficial practice as it examines our code and provides recommendations on areas that require improvement. This ultimately results in a stable solution. However, I advise using Veracode only if the business has the budget for it, as it can be expensive. Any organization that chooses to use Veracode, can be confident in the quality of its solution but must be prepared for the associated costs.

We use Veracode to scan our codes for vulnerabilities and risks.

Veracodes' ability to prevent vulnerable code from entering production works very well and it can detect the type of script used.

The software bill of materials helps us understand the industry that we are in and ensures we have a stable solution.

We can easily create a report using a software bill of materials because it has good templates that we can use.

Veracode has improved our organization by allowing us to fix the flows quickly for our clients by making data coding easy.

Veracode provides visibility into all phases of development.

The visibility into our development provides confidence to our DevSecOps that they will be able to deploy on time with no errors.

The false positive rate is good but we require a lot of skills to utilize it properly.

The false positive helps our DevOps troubleshoot every stage of development and increase their efficiency which boosts their confidence.

Veracode has helped our developers save around 20 percent of their time.

It has increased our organization's ability to fix flaws. We can scan code in a video which reduces costs and risk.

Veracode has increased security in our overall security posture because it detects flaws during scans.

We have saved around $500 a month in DevOps with Veracode.

Code scanning is the most valuable feature. 

The templates allow us to create wonderful reports.

The software bill of materials feature helps our supply chain security.

The backend support team of Veracode requires improvement as they are difficult to reach when we encounter issues.

The UI is not user-friendly and can be improved.

The speed of our internet connection affects the scanning process, which may take a considerable amount of time to finish. As a result, this can lead to challenges in planning and reporting, causing confusion.

I have been using the solution for three years.

It is stable.

Veracode is scalable.

The support is slow to respond.

Neutral

The initial setup was straightforward. I deployed the solution myself within three days.

The implementation was completed in-house.

We have seen a 32 percent return on investment with Veracode.

The licensing cost for Veracode is fair.

I give the solution an eight out of ten.

Veracode is user-friendly depending on how we use it. 

We have seven people using the solution.

Veracode does not require any maintenance on our end.

Veracode is a secure, reliable, and sustainable tool that all organizations should use for scanning code.

I use Veracode to ensure the projects I deliver don't have vulnerabilities. 

Veracode provides insight into vulnerabilities at every stage, so your team can progress through the development cycle more efficiently. It improves developer confidence by showing us our capabilities and the potential of our code. 

Our developers improve and become more efficient using Veracode. Once we identify issues in our code, it's much easier to avoid the same mistakes in future projects. It teaches them how to overcome those vulnerabilities and errors while reducing costs.

Veracode saves a lot of time compared to traditional methods for identifying vulnerabilities. We save around $500 a month using Veracode because we don't need to hire experts. 

Veracode has improved our overall security posture. We feel assured that applications we deliver to clients or use internally are highly secure. It has helped us develop strategies to create stable, secure platforms.

I like the static scanning, and Veracode's interface is excellent. The dashboard is easy to navigate. I love the Software Bill of Materials (SBOM) feature because it helps you explore various industries and understand what to do to minimize risks and maintain compliance. It's straightforward and ensures my applications are compliant. 

It's easy to create reports using the SBOM feature because it has templates that you can customize depending on the reporting requirements. It gives me a report of the compliance requirements for any industry. It helps us internally and improves the services we provide to our clients.

Veracode is great for preventing vulnerable code from going into production because it covers various programming languages like JavaScript and PHP. You can be confident that your code is secure no matter which language you use.

Static scanning takes a long time, so you need to patiently wait for the scan to achieve. I also think the software could be more accurate. It isn't 100 percent, so you shouldn't completely rely on Veracode. You need to manually verify its findings. 

I've used Veracode for three years.

Veracode is stable. I've been working with it for a long time. 

I rate Veracode support 10 out of 10. They're friendly and responsive. 

Positive

Deploying Veracode is straightforward. I did it with one other colleague. 

We can afford Veracode, but it's too expensive for small enterprises. If you're concerned about the price, you should weigh the benefits you can achieve. It has saved us a lot of money on DevOps. We save about $500 a month by not outsourcing this work to experts.  

I rate Veracode eight out of 10.

It's an excellent product for developing a secure platform that will benefit your company and its customers while helping you build a sustainable development team. Before implementing Veracode, you need to prepare and have at least one person who understands how to use the product. 

We use Veracode to identify any security issues or flaws in our code so that we can eradicate them. We also use it to keep developers on their toes, to make sure they don't introduce any new flaws.

It is helping us a lot because we can easily identify vulnerable code by just scanning and, therefore, we are able to prevent it from going into production.

Veracode has given us access to high-quality data and automated testing, and it has helped our organization to make sure that we create platforms without any malicious code or risks. Our application for our clients is very secure. And because it has static code analysis and produces good reports, it has definitely enabled us to be very scalable in what we do and to produce a stable solution.

What it has done is that before we try to implement, we think over the security using Veracode. We analyze things and create a very good report of what it is going to be. So in the future, we have an application-centric view that is giving us the possible threats. Before we scan, we already know what the targets are that we want to achieve.

The solution also really helps a developer to know exactly where they need to fix things and where they implemented errors, by allowing them to analyze their code. So confidence that developers get from Veracode is that they know exactly what code is causing an error or causing a vulnerability. They avoid those issues and it helps them to really develop very quickly.

It has saved quite a bit of money and effort. It helps create a meaningful improvement in the security of our products. It helps you to develop faster. You save a lot of time because you don't have to debug things manually. That would take a lot of time. You just scan with Veracode and you see all the code that needs to be fixed. It really saves a lot of money because it would be very expensive to hire a technical team or developer to trace every issue in the code. A single package of Veracode saves you a lot compared to if you were to have a team of three or four people[e. With Veracode, small teams can use it and do their tasks better. At any stage of development, they know where to fix things and the flow makes it easy to produce things on time. It saves us 50 percent of our time.

And with security being paramount, we now know that every solution we are providing, that we put into production, is stable, secure, risk-free, and compliant with industry standards. We are now trusted by more of our customers who use platforms as well as by more stakeholders.

It has helped reduce costs because we have two or three developers who can maintain security by doing the scans. We don't need a lot of developers. We just need a few with the technical skills to use Veracode.

The user interface is quick, familiar, and user-friendly and makes navigation to other software very easy. It is also easy to scan a new application and view the results of previous scans and generate a report.

It is really great when it comes to knowing the vulnerabilities in the code as well.

Veracode has also really tried to make sure that they comply with any standards and regulations, and the process is quick and quite straightforward. That has had a very good and positive impact.

It can be a bit complex because it takes a lot of time to have it complete the task.

Also, the interface is disjointed. 

And the documentation is kind of confusing. It may not be updated in the same way that the software is.

There is also a little bit of a learning curve before you can do security scanning of any application.

I've used Veracode for three years.

It is stable. I haven't experienced any downtime.

And it is scalable enough. You can integrate it with third parties to come up with a meaningful solution.

Their support group is very good. They really make sure that you get enough support. You can schedule a consultation and most of the consultants are very helpful in troubleshooting any lines you go through.

However, technical support literally takes weeks or months to respond to requests and that causes a lot of delays. It's horrible. It affects our workflow and progress.

Negative

We didn't have a previous solution.

Deploying and implementing Veracode is straightforward. Things get complex when you want to use it.

It doesn't require any maintenance.

We did it in-house. I worked with two of my colleagues.

To a small extent, we have seen ROI, on the order of 10 percent. It is very expensive to use and that means you really need to make a lot of sales before you can compete with the cost of Veracode. The ROI is there, but very small.

It is expensive. It depends on the use case, but it is very hard to find a pricing page on their website. Instead, they need to analyze your use case, but without knowing the entire project and how you're going to be using Veracode, how many scans you're going to do, if yours is a small business, it is very expensive and it affects ROI.

If you're concerned about the price, it is not a good solution for a small company.

Veracode's false positive rate is moderate.

My advice would be that this is a great platform, overall, if you have the budget to use it. It does great work that can really help out. But I wouldn't recommend it to a small business because the pricing is not registered on their website. They will have to take you through an assessment. The responses that you deliver will determine the pricing you'll be given. In the end, it may affect ROI.

But if a business is okay with the budget required by Veracode, I would certainly say it is great. It does a lot of security scans to make your applications secure. It will help developers to develop faster.

In my previous company, we had a healthcare app. We used Veracode to run a spontaneous static analysis as well as dynamic analysis, to resolve our vulnerabilities. We were releasing versions every month. Each month we were looking at the results of Veracode and fixing the problems.

It helps fix a lot of flaws and bugs. As a developer, you look at things with a different perspective with the Veracode results. You can see that certain things can be implemented in another way, how they can be more secure. As a result, it helps improve your level of understanding and decrease the number of production issues.

Using Veracode, it was very interesting to see the difference when I compared things over a three-month timeline. During the initial three months, when I started using Veracode, I found the percentage rate of flaws was around 60 to 70 percent in the entire file we were uploading. After using Veracode over the next three months, our score decreased to a 30 to 40 percent flaw rate. We were able to do our quarterly development in a very secure way.

For example, we recently encountered a flaw that might be exploited. We implemented a function to store passwords that were encrypted. That functionality was written in a pretty vulnerable manner. By looking at the code, we could see, "Okay, this might be exploited." But when Veracode pointed out multiple times, "This might be vulnerable," and "This might be vulnerable," it helped us improve our developer standards. It gave us a brief idea of how this particular code implementation could be improved.

There is also a feature called Veracode Pipeline Scan which provides instantaneous feedback. That was a major addition to our process and has worked out very well. Developers get instant feedback about their flaws, making them easy to fix while in pre-production. That is one of the major boosts that we have implemented. It enables our developers to fix things in parallel, and that has saved time, about 20 to 25 percent, and resulted in better coding. As a security guy, I can see the differences between the initial processes and the processes we have six to eight months after implementing Veracode Pipeline Scan and Veracode in general. 

Overall, it has reduced the time that we used to spend working manually to pinpoint the issues that we found. Veracode makes it an automated process. Also, we can use it in parallel. If Veracode is the main "hub," we can have "sub-hubs" such as static analysis and Veracode Pipeline Scans. Both can be done simultaneously, reducing the manpower required by a lot, and providing correct results. And it has improved our understanding of the different kinds of flaws and vulnerabilities that are in the report. Veracode, as a tool, has made things better.

In terms of security posture, when I had just joined my previous organization, there was a meeting about client feedback. Initially, their comments were that things were not very stable. They said it was easy to steal data. After using Veracode, and as our developers adapted the tool and developed secure code, the client's feedback was that things were pretty stable and good. At first, the feedback was very ruthless. We were not up to security standards. But once we started using Veracode, it became the main pillar of our security. We overcame certain challenges and the client feedback was pretty good.

It yields around 90 percent accurate results. It pinpoints the errors. Its accuracy is very interesting. It also elaborates on flaws, meaning it provides you with details about what is valid or not and how something can be fixed.

Another valuable feature is in the dynamic analysis, which provides information on which libraries are outdated so that we can improve them and get them up to date. We found a lot of outdated libraries in use in our organization. As a result, it has improved our stability. The software composition analysis keeps you updated on each kind of data it reports on, including libraries and third-party DLLs.

There is a sandbox limit of 10 so any company using Veracode needs to plan for only having those 10 sandboxes. If they increased that to 25 or 30, the scan time would decrease and the results should be more effective.

There is also a size limit of 100 MB so we cannot upload files that are larger than that. That could be improved. 

Also, the duration of the scan is a bit too long.

I used Veracode in my previous company but recently changed to a new company. Overall, I have used it for around 1.5 years.

Its stability is fine. On a scale of one to 10, I would give it a seven for stability.

It's a scalable solution.

We have it implemented in two offices, the main office in the US and a single office in India. There are only 10 to 12 people using it in our organization, meaning in India. I am not aware of how many users there are in the US.

Their support team needs to respond in less time. It takes a lot of time for them to respond. When we reach out, we are waiting, most of the time, for two or three weeks to get a reply from them. That is the one major piece of feedback I have for Veracode.

Their technical support is very good, except for the response time. When we are stuck with something technical, they explain how to use it in multiple ways. They are supportive and that is pretty good.

Neutral

We were using a couple of other tools along with Veracode. One was SonarQube and the other was Acunetix.

The false positive rate is pretty low. When I started using Veracode, there were a lot of false positives, but that number became notably smaller. There are some false positives because new types of flaws are generated for each new version.

Initially, in general, whenever you see any kind of false positives or true negatives, it reduces your confidence. But whenever the reports are generated by Veracode, as developers we can understand that they show certain patterns of what might be a false positive. So we get an idea that this kind of a flaw might be a false positive while this kind might not be a false positive. We get clarity about the reports sent by Veracode. At a certain point, we might be sure that we can explain all the false positive data to management so that they can look into them and understand: If this kind of data or this kind of code flaw comes up, it is a false positive. We can easily associate these scenarios with false positives because they are normal and common.

During the initial phase, false positives affect our time because we can't deduce any conclusions. Static analysis is the kind of process in which you will encounter false positives in certain cases. But after a couple of implementations of machine learning, the results should be pretty accurate and the false positives should decrease.

Preventive maintenance is critical. Per my experience with Veracode, there are certain maintenance issues, but they are the normal types of things.

I would highly recommend Veracode, but initially, don't do a deep dive into the tool. Take a couple of licenses to start adapting to the tool and work out how it works and whether it's suitable for your development processes and developers, and get their feedback. I highly recommend it because it's a real time-saver, provides stability, and improves your organization's productivity.