Veracode Reviews

We use it to scan third-party libraries to check for vulnerabilities.

Our company relies on Veracode to prevent vulnerable code from going into production. 

And it reduces post-deployment bug fixes. Before Veracode, the application was deployed to the production server and there would be a lot of bugs and issues. Once we implemented the Veracode scan, the full deployment issues were drastically reduced. In a month we do 10 releases and we used to get five or six post-deployment issues. Now, we barely get one or two.

Veracode has also significantly saved us time, around 30 to 40 percent, and we can concentrate on new features instead of fixing the old ones.

We use the full code analysis and the recommendations from the Veracode report.

One concern is that scans take a long time to run. We scan at the end of the day because we know it will take a lot of time. We leave it to run and the report will be generated by the next day when we arrive. The scanning time could be reduced.

I have been using Veracode for the last three months.

It's very stable. I've never seen any downtime with Veracode.

We use it on-prem, so I'm not sure whether it can be scaled. It's just one endpoint that multiple people access.

We have two scanning stages. The first one uses SonarQube, which only does code analysis. It doesn't scan third-party libraries that we use in our code. Veracode is the second level of check. We work on a banking project. The bank trusts Veracode and they recommended Veracode to scan our products.

The initial deployment was pretty straightforward. It's on-prem so there was no deployment strategy to follow. It took one to two days to deploy and check everything. A team of three to four people worked on the deployment. It depends on the project's complexity as well. As a DevOps engineer, I support a lot of projects within our organization, and the deployment varies from project to project.

In my department, we handle six to eight projects and each one needs a Veracode scan before deployment. As a company, we have multiple locations and departments but only the DevOps team of eight people has access.

The way we work with Veracode is that we have integrated it with Jenkins. We upload the artifacts to the server, trigger the Jenkins job, and the Veracode scan is generated. We have set everything from the Jenkins pipeline. The scan is automated using Jenkins, which means there is no need for maintenance. If there are new steps implemented in the pipeline, there might be some overhead, but it doesn't need any maintenance. We just set the port and everything works fine.

Other than the scanning time, I would give it a solid eight out of 10.

We utilize Veracode in three primary ways. The first is through Dynamic Scans, followed by Static Scans, and Software Composition Analysis Scans. I find this tool to be highly effective. We have various forms of support available. For instance, we can initiate our scans through the CI/CD pipeline or manually if needed. Additionally, we can create separate sandboxes for each of our code modules. Since development involves distinct code modules, each catering to different functionalities, we can conveniently set up corresponding sandboxes within Veracode. This allows us to scan any module whenever required, which is quite advantageous.

From a SAST perspective, Veracode can prevent vulnerable code from entering production by adhering to our manual checklist.

We haven't utilized the Software Bill of Materials; however, we have employed Software Composition Analysis. Whenever we scan a codebase, any third-party applications or libraries that have been incorporated into the code are automatically analyzed. Subsequently, a comprehensive report is generated. This report outlines the third-party libraries and applications that have been utilized in the codebase, along with their respective versions. Additionally, if any of these versions are found to have vulnerabilities, they are promptly detected.

Veracode is efficient. I have used various other tools such as DAST or SAST, and employing those tools usually takes between five and eight hours. In contrast, Veracode completes the task in two to three hours. For each scan, there is a consultation button available. Clicking on that button allows us to schedule a call with a Veracode support team member. During the call, they explain any issues, clarify why certain problems are false positives, and discuss the reasons behind issue detections. There's also a consolidation part and a support button, where we can raise tickets. I have found that their maximum response time to these tickets is within one day. Before starting the scan, Veracode offers a pre-scan functionality. This functionality performs connection and server checks in the pre-scan phase. It's similar to the SAST side of things for all the tools, where the code base is examined before initiating the SAST application to determine if it's sound. However, in Veracode's case, this is implemented in the DAST system. It checks whether the server is operational if the provided call scripts are correct, and if the provided login scripts are accurate. This pre-scan functionality doesn't run during the actual scan but rather at the very beginning to ensure that all prerequisites are met. Once everything is verified, then we can proceed to initiate the actual scan.

Using Veracode policy regulations, we can offer predefined rules. When setting up any application, we establish the application name and other necessary details. Following this, there is a section where we can input this information. Essentially, there exist predefined regulations which we can either directly utilize if they suit our needs, or adjust them based on the requirements of our project team. Therefore, we have a pre-existing set of rules and functionalities available.

We do have a dashboard in Veracode that offers visibility into the status of applications. There is a section where we can view the application names, and next to each name, there is a status report such as "The SAST has been completed" or "in progress," and the same goes for DAST.

After the scanning is completed, with other solutions from a DAST perspective, we would receive a report. If there are any false positives, we would have to identify them ourselves. However, with Veracode, one of their engineers or a support team member will verify the information, which helps to minimize the number of false positives.

Before using Veracode, we used to perform many tasks manually. We had a checklist for the SAST. We would go through each line of code, attempting to determine its compliance and level of security. Even with the DAST, we used to carry out this process manually. Completing the DAST scan took a considerable amount of time. For each module, we had to dedicate at least two to three days. However, since adopting Veracode, we can now not only perform this process for each module, but we can also initiate scans for all the modules simultaneously. As a result, we can obtain the results within a maximum of three to four hours. Time-saving for fixing flaws is one of the significant benefits that Veracode has provided us, helping reduce the time by almost 60 percent.

Regarding Software Composition Analysis, an exceptional feature is that during a SAST scan, SCA is seamlessly conducted in the background. Once we scan all modules and obtain SAST results, switching to the SCA section reveals the associated reports. This integrated approach eliminates the need for separate SAST and SCA scans, as is required by other tools.

The reporting feature is noteworthy. The reports are well-structured, providing comprehensive details for each vulnerability. Information about the vulnerability itself, its origin, the specific section of code it pertains to, and even the exact line of code involved are all included.

I've found that Veracode is not particularly suitable for Dynamic Application Security Testing. Unlike other tools equipped with their own crawlers, Veracode necessitates the use of a Selenium script for crawling. However, the tool's compatibility with all functions is limited, which can be frustrating. For instance, functions like upload, download, or those triggering new tabs are challenging to handle within the DAST section due to Selenium's inadequacies when used with Veracode.

In contrast to other tools where we can monitor requests and responses during a scan, Veracode lacks this capability. The scan initiates, and we must wait until completion to see the results. There's no opportunity to check if the right requests are being sent or if certain components are being excessively targeted. Once the scan starts, we're essentially locked in until it concludes, and only then can we access the results. Furthermore, even after the scan, we're only provided with a summary of scanned URLs and the number of requests made, without the specifics of the request or response contents.

I have been using Veracode for four months.

Veracode is stable, and we have not encountered any issues.

The cloud version of Veracode can scale according to the file size.

I have engaged in two different types of experiences with technical support. One involves the ticketing system, and the other involves consultation calls. The consultation calls revolved around static analysis. During these calls, we presented all the vulnerabilities we discovered. We conducted our analysis and demonstrated how Veracode identified certain vulnerabilities. However, we also explained instances where these were false positives due to specific reasons. During the call, they acknowledged these issues. They pointed out some of Veracode's limitations, highlighting that it solely scans the code and doesn't consider the framework side. This implies that they accept these limitations. Furthermore, they provided us with insights into how they plan to implement fixes in the future, which is quite beneficial.

Additionally, whenever we had inquiries or doubted Veracode's detection of false positives, they provided detailed explanations. They shared the specific Veracode setup and rules within the SAST side that led to the detection of certain vulnerabilities. They also explained that by incorporating certain mitigations at the code level, these vulnerabilities could be addressed. 

Regarding the ticketing system, for minor issues or questions, we would raise a ticket. They consistently responded within a maximum of one day, providing us with the necessary information.

Positive

Before transitioning to Veracode, the client had been utilizing a free community version tool. However, the count of false positives was exceedingly high with that specific tool. This prompted the client to seek a solution that could deliver superior results with fewer false positives. As a result, the decision was made to switch to Veracode.

I would rate Veracode a seven out of ten because the DAST has room for improvement.

The maintenance is completed by the Veracode team because we are using the cloud version.

For individuals seeking exclusively SAST and SCA capabilities, rather than DAST, Veracode stands out as the most suitable tool. However, if someone intends to utilize Veracode solely for DAST, I believe they should explore alternative tools. The effectiveness of Veracode's DAST functionality is limited, and using other tools might yield better results. Additionally, Veracode provides comprehensive training resources through its portal, including a list of documents and video tutorials. These resources are readily accessible and offer adequate guidance for initiating the use of Veracode.

We use Veracode for product testing.

We exclusively utilize Veracode for a product used in our consulting services, which we provide on a licensing basis.

We deploy Veracode in the cloud and can utilize any cloud provider, including Google Cloud, Azure, and AWS.

Veracode's ability to prevent vulnerable code from entering production is both effective and thorough.

The SBOM feature is straightforward, making it easy to create reports. The SBOM feature is crucial to our organization because we can utilize the report to effectively present a product to customers, demonstrating its viability and security. 

Veracode has helped us improve our secure coding practices, which, in turn, has boosted our confidence in selling our products.

We were able to experience all of Veracode's benefits for our organization within the first year.

Veracode helps to provide visibility into the application's status at every phase of development. This helps us ensure that our code is secure from the start, saving us time that would otherwise be spent sorting through bugs at the end. 

Veracode's false positives are beneficial for our developers as they assist in organizing and understanding the implications of these false positives.

Veracode has helped our organization address flaws by identifying our mistakes. The initial usage of the solution was challenging due to the large number of code lines that needed to be read, but it became easier over time.

I find all the features valuable, especially dynamic scanning, static scanning, and software composition analysis.

When we engaged Veracode to conduct the manual penetration testing, they were extremely slow in completing the task and delivering the report, causing a delay of two to three weeks for us. The duration of the manual penetration testing process needs to be improved.

The cost of the solution can be reduced.

I have been using Veracode for two and a half years.

Veracode is a stable solution.

Veracode is scalable. Veracode is used by around four people in our organization.

The technical support response time is slow. 

Neutral

The initial setup is straightforward. Veracode is a virtual platform, so all we need to do is upload the code, and it will be ready to use. The deployment was carried out by one of our senior product managers.

The implementation was completed in-house.

Veracode's pricing is on the higher end, but it is acceptable.

We evaluated multiple solutions, including BlackBox, three years ago. However, Veracode was the only solution that had all the features and also had a proper certification system in place. The other solutions did not provide a comprehensive suite. For instance, they offered static scanning but lacked dynamic scanning, whereas Veracode provided both, along with a training module.

I give Veracode an eight out of ten. The solution is comprehensive, albeit a bit costly.

We have not observed any impact on our policy reporting and compliance with industry standards and regulations since we started using Veracode.

The false positive rate is slightly high, but we are able to manage it. The false positive rate of the static analysis has not affected the time we spend on the tuning process.

Veracode has not affected our developers' time significantly, as the response rates for certain tasks have been slightly slower.

I recommend conducting a cost analysis and rate of return evaluation to determine whether the solution is worthwhile. I highly recommend using Veracode for complex products, but it may not be as valuable for simpler ones.

Veracode does not require any maintenance.

I have learned that it is necessary to plan our strategy for the product and security prior to using Veracode.

Our primary use cases are uploading and assigning scans, uploading compiled codes into the sandboxes, and searching marks to determine whether scans have been completed.

We have multiple locations, teams, and endpoints; we're a worldwide telecommunications company with over 2000 internal and external apps. Some apps communicate from the outside to the inside, but every app goes through Veracode.

We have to scan about 2000 apps, and we're already at 366 scanned within the year's first two months. Additionally, the company has been using Veracode for years; both are testaments to the solution's efficiency.

The platform provides visibility into application status at every phase of the development- Veracode Static Analysis, Dynamic Analysis, Software Composition Analysis, and Manual Penetration Testing throughout our SDLC. In terms of DevSecOps processes, the solution makes them quicker and smoother, with less confusion.   

Veracode positively affects our organization's ability to fix flaws; we have a particular app at the moment that failed the scan twice due to its vulnerabilities. Without the solution, we likely wouldn't get that.

The solution has positively affected our organization's overall security posture and will continue to improve it. 

I like the sandbox, the ability to upload compiled code, and how easy it is.

It's also straightforward to find scans we've uploaded. 

The solution's ability to prevent vulnerable code from going into production is incredible. I have done several consultations and remediation calls with the app team, and Veracode catches almost everything. It picks up the same issues in everything we scan, and we've done a lot of retests that way; the tool is very proficient in this area.  

Veracode helps our developers save time; it's a straightforward product that shows us the vulnerabilities and allows us to relay them back to the developers. This is faster and more efficient than staff going through the code manually. The solution is like having a proofreading app for our code rather than using a proofreader.  

The sandbox could use some improvement; when creating a sandbox, it requires us to put the application name in twice, which seems unnecessary.

We've been using the solution for a month and a half. 

Veracode is very stable; unlike many programs and apps, I've never had a problem with it.

The solution is scalable; we're a global telecom company, and we use it to scan every one of our over 2000 apps. 

The technical support is excellent. 

Positive

I'm unfamiliar with the solution's pricing, but it must be worth the cost from a company perspective, as we have been using it for years and have no plans to move away from it.

The product was in place long before I arrived at the company, so I don't know if they evaluated other options.

I rate the solution 10 out of 10. 

I recommend Veracode to any company looking for this type of platform. Though I need to become more familiar with competitor products, I like going into programs and clicking around. Even if I don't initially understand something within Veracode, I can keep going and make sense of it. I updated my resume to include my new experience with the solution.

Veracode reduced the cost of DevSecOps for our organization; we upload a scan, run the test, get the vulnerabilities, and set up a remediation meeting. This makes communication more manageable, and the information is more visible, as all our staff can access the scan results. In several instances, we've consulted with employees from the Veracode side, and they've been very helpful in walking our app team and testers through whatever vulnerabilities we've had issues with.  

Our primary use case for Veracode is SAST and SCA in our SDLC pipelines. We also use it for DAST on a periodic basis and time-based scans on our staging system. We use the trading modules for certifying all our developers annually.

In addition, we use Veracode to scan within our build's pipeline. We do use Greenlight, which is their IDE solution for prevention of issues of vulnerabilities.

We are FedRAMP certified as a company, so we use this as part of our certification process for Veracode ISO 27001 and various other certifications we have.

There is a tight integration of Veracode with JIRA. We use JIRA for nearly all of our issue tracking.

This integration provides a way to link all of the vulnerabilities discovered to our backlogs and active scrum queues, so that there's high visibility within teams for any of the issues that are related to their teams.

I think the most valuable to us is the policy management, which enables us to create different kinds of policies for different kinds of applications. Veracode policy management also allows us to plan for, track against, and report on our compliance with those different policies.

I think the biggest room for improvement is around known or accepted vulnerabilities that, when we re-scan, we want those things to be recognized as already accepted, as an exception. Sometimes they show up as something new and we have to go back and re-accept that as an accepted exception in order to bring our numbers back into compliance. I think if they could improve the operations around accepted vulnerabilities, we would see improvements in our productivity.

I would also like to see more executive reporting. Having a good snapshot of how well we're tracking, where each of the teams that own the applications, how they're doing, and where their gaps are would be good. Currently, the reporting is geared towards tracking current vulnerabilities. Even though they have trending, the trending doesn't necessarily evaluate the teams and how well they're doing. I would also like to be more oriented towards teams.

Overall, I would give Veracode a nine out of 10.

The company's been using Veracode for five years. I've been using it for four years.

Veracode is stable in my opinion. We've had very little interruption that was unplanned.

We have not run into an issue with scalability yet. Veracode was built based on application counts and not users, which is what a lot of the competitors do.

We have some 300 people using Veracode. Some are executives while others are engineers actively working in Veracode. 

Veracode's technical support is great. They assigned us a TAM and once a week, we have a brief engagement with the TAM to verify that everything's going well. If we have any outstanding issues, they get serviced and addressed.

Positive

We have used Veracode the entire time I have been with this organization. However, I know that they used Coverity and WhiteSource prior to switching to Veracode. The main reason my organization chose Veracode is its comprehensive dashboard. 

Our deployment took a while so I would say the initial setup was moderately complicated. We gradually moved into the pattern we are in today and displaced some other vendors along the way. So it was a slow ramp for us because of our business needs.

We were up and running and operational within a couple of months. And then, over time, we broadened our footprint with Veracode.

We deployed Veracode in-house. 

Our biggest return on investment is maintaining certifications that enable us to attract customers of larger scale and government-sensitive customers.

Going back to the cost structure, I think that the way Veracode is priced and their comparison to third parties, I still put them at four out of five.

Veracode recently introduced some pricing based on microservices. This model gives us a lot of flexibility in being able to add and remove microservices and scale them that way.

The pricing is solid. I think with the current consolidated pricing that we have is pretty consistent every year.

All of the Veracode applications operate as one platform. Most of the competitors out there separate their products from their reporting and configuration, so you don't get a single pane of glass. With Veracode, you get a single pane of glass and reporting that you can combine with the different scan types to look at compliance.

The advice I would give regarding this solution is this: Look at the policies, the dashboards, and integration with ALM applications like Veracode and JIRA. They have a tighter integration there that I see with most of the competitors.

I'm sure that the scan quality is consistent. Perhaps there's some applications that are a little better than others at detection. But we find that Veracode is very comparative to other things you solutions the quality of catching vulnerabilities.

When code is being developed by our developers, the testing team runs through the static code application scanning and takes a look at how it is working out.

There are multiple code check-ins happening. When check-ins occur, we want to make sure that anything that needs to be tested, whether in that particular unit, or whether in the end-to-end functionality, is scanned and that the code is certified as usable. That's the first step we do, and it's a very important one. The scanning process helps our security team and developers fix flaws in the code and increases our fix rate.

Veracode SCA also reduces scan times because it scans incrementally. There is an initial baseline when the code is being created, but it does any additional delta check-ins fast and gets us the information.

We have been able to handle the overall code review process faster, because of Veracode's static code analysis. For example, we were able to onboard around 120 applications in seven to 10 months.

Another benefit is that it helps reduce security debt. It becomes much easier to run through the overall code. We have predominantly used it for shift-left, testing code much earlier from a security standpoint. Compared to when we started versus now, we have done a phenomenal job. Year on year, our security debt has been continuously decreasing by 10 to 12 percent.

Veracode takes the burden out of manual code reviews, helping to create secure software. The Greenlight feature helps the developer, at his desktop, before his code is even checked in. He gets a good understanding of how things look from a security standpoint, meaning how secure his code is. It will mitigate a lot of basic vulnerabilities at the start. And then, during the source code analysis, once it has been checked in, we have seen a 30 to 40 percent reduction in dynamic vulnerability identification because of the static code analysis that precedes it. Our vulnerabilities are at the dynamic standpoint. It's one of our most important requirements because we want to make sure that we provide a secure product and services. It's of paramount importance.

And as an educated guess, it has increased security and development teams' productivity by 7 to 9 percent, and that's a month-on-month increase.

The main feature we have been using is the software composition analysis, which provides us with a scoring system in terms of version 3 of the CVS. A lot of vulnerabilities are typically detected, but, at the end of the day, we also want to check how well they are being targeted, based on the Common Vulnerability Scoring system. Not every vulnerability is high-severity, because some of them do have fixes. That particular feature is helpful for us.

It gives you JSON output. When you do agent-based scans, at any point in time, there are multiple check-ins of the code. We have to look at it from the perspectives of how important it is to fix something and when it should be prioritized for fixing. The JSON output from the agent-based scans gives us the CVS core, and that makes things much easier. It's available on the new version of the Veracode SCA agent.

It also has a decent support system for audits. From that perspective, they did a very good job.

The mitigation recommendations are the standard ones, but if there are specific activities that come into the picture, Veracode should provide more remediation solutions. Since all of our team members are pretty good at what they do, they're able to do a good job with the information they get. But if somebody had to start off from the ground floor, they might need some help to understand things.

Veracode doesn't really help you so much when it comes to fixing things. It is able to find our vulnerabilities but the remediation activities it does provide are not a straight out-of-the-box kind of model. We need to work on remediation and not completely rely on Veracode.

Also, there are certain third-party libraries that might be called up by the code and that might have vulnerabilities. I haven't seen that Veracode is able to deal with that aspect. 

Another area for improvement is when the code's logic might have certain flaws that can result in a security vulnerability. Veracode doesn't handle that as well. Improvement in those areas would help us determine things much faster.

I've been using Veracode Software Composition Analysis for about five years.

It's pretty robust.

The scalability is very good. 

Our users are developers and security testers, predominantly. The number of people using it depends on the project. Sometimes we have 10 people on it and at other times we might have only five.

The teams that work on it take care of maintenance, so we do not need any additional team to do that. We also have a center of excellence that takes care of things.

The solution's technical support is good.

Positive

We did not have a previous solution.

The process of setting it up was fast and easy. Integrating it into our ecosystem was much faster than expected. That was one of the biggest ways it improved our ability to get the code analysis done. 

The reason why it was straightforward is that everybody knows how it has to be set up. All the developers and the testers are well-educated, from a Veracode standpoint, because they have experience with it from the past. It was not a new tool on the block.

The cost has been an important aspect for us, but we have run with the additional cost of the overall code analysis. One of the major reasons is that developers get a better understanding of where their code stands before a security tester gets into the picture. The cost-benefit for us is that, rather than having to build up a whole security testing team, developers get security insights earlier in the development lifecycle. After that, we can introduce the testers to get things finished, and that reduces the manpower cost.

Compared to the typical software composition analysis solutions, Veracode is not so costly, although the static analysis part of it is a little costlier. It depends upon the ecosystem you are using, whether your application is a web application or a custom, non-web application. It can support all of them. The pricing depends where you are at with your overall security strategy.

If you have multiple applications and you want to scale it at an enterprise level, this is a good tool. But a very small shop might not want to go with it because there are a bunch of alternatives that work well. Again, it depends upon where you are at on your overall software AppSec journey.

In terms of security breaches, the static code analysis is what we use to try to ensure that an application is free of vulnerabilities. But when you deploy it in the environment, there are multiple aspects that might contribute to a breach. It could be either due to the infrastructure or another application or even through endpoint network solutions. So, we cannot completely rely on Veracode to prevent security breaches but it can reduce them.

Veracode SCA reviews the code and allows us to provide overall information in terms of vulnerabilities. It does a pretty decent job. We are used to Veracode, having used it for a long time. Compared to when we started, all the developers are comparatively more confident and happy with it.

We have a website built on the Microsoft stack, with .NET. Veracode comes in and scans our code and, for the static side of it, we zip up the CS files and the JavaScript files, and upload them for scanning.

It gives us peace of mind regarding what our website's security environment looks like. It provides that quality check to make sure that we have as few vulnerabilities as possible.

The dynamic scanning tool is what I like the best. Compared to other tools that I've used for dynamic scanning, it's much faster and easier to use.

I've seen slightly better static analysis tools from other companies when it comes to speed and ease of use.

Also, with the dynamic tool, sometimes a scan gets stuck and it can be hard to get a hold of the right person in a timely manner to find out why it got stuck and to get it unstuck, or to create a new one.

Overall, speed and customer support could be improved.

I have been using Veracode at my current job for about two years and I used it at my previous job for at least six years or so.

It's very stable. It's very good that way. I haven't run into too many times where their website is down. Usually, it's just for maintenance and they'll let you know ahead of time.

Since it's a cloud offering, we don't have to worry about its scalability.

We don't utilize our current offering to its fullest, so we don't have plans to expand use of it.

Their technical support is pretty good. It depends on who you get. As I mentioned, sometimes it's hard to get an answer from them quickly about why a scan got stuck or what's going on with it. 

Neutral

I've used Checkmarx and IBM AppScan.

I don't know what ROI might be in terms of a dollar amount, but the peace of mind and quality it gives us, making sure we don't get hacked, are types of ROI.

The "gold star" goes to Veracode's dynamic scanning capabilities. I've used other static scanners that may be a little bit better than Veracode, but the dynamic is a lot faster and a lot easier to use. The other ones I have used can be very complex when setting up the scans.

Veracode only has a cloud offering. You upload your binary files for static scanning, or you whitelist your IP and have them come in and scan your website. It doesn't require any maintenance on our end.

Overall, it's really good. It's a lot better than other offerings I've seen. The dynamic scanner works really well. The static scanner is still good, but it could be improved.

We use Veracode to scan the applications.

Veracode's ability to prevent vulnerable code from entering the production environment is good.

Using Veracode's ASC team is easy. I can send them an email and arrange a call from the app. They were helpful when I had issues or questions about using the app.

Free access to the ASC team is a significant advantage because they possess in-depth knowledge of the product and are readily available for assistance.

It is innovative when it comes to features.

Veracode helps our organization with security scanning. We realized the benefit of Veracode as soon as it was deployed.

The policy reporting is valuable because it provides two key benefits: first, it generates a security score for our application. Second, it offers comprehensive reporting that details both the vulnerabilities found and the potential risks they pose to our application.

Veracode can provide visibility into application status at every phase of development.

It assists our application team in fixing flaws by identifying issues and guiding the team toward resolving them.

Veracode helps our developers save time by ensuring the code is secure.

Veracode helps us improve our overall security posture. When a Veracode report shows no vulnerabilities, it indicates a strong security position. This allows the security team to sign off on approvals more efficiently, as a clean Veracode report is a key factor in their evaluation process.

Veracode is a valuable tool for a shift-left security strategy. It helps save overall development time, money, and effort by identifying and resolving security vulnerabilities early in the development lifecycle.

I find Veracode's SASD feature to be the most beneficial because it enables us to proactively identify security vulnerabilities in our application code before deployment. This static analysis helps ensure a secure application rollout across all environments.

The scanning takes a lot of time to complete.

Veracode offers comprehensive visibility into application security throughout the development lifecycle. However, due to cost constraints, we are not currently utilizing all available analysis types.

I would like Veracode to introduce infrastructure as code scanning.

Instead of relying on emails, it would be beneficial if Veracode offered a built-in tool for logging and managing issue tickets.

Veracode sometimes performs maintenance without notifying clients in advance, which can cause disruption.

I have been using Veracode for two years.

For the most part, Veracode is stable but there are times when we have downtime due to maintenance that we are not informed of.

I would rate the scalability of Veracode nine out of ten.

Technical support has been great at fixing any issues I've had.

Positive

My client in the banking industry previously used Black Duck before switching to Veracode.

Veracode's end-to-end testing offers a significant advantage over other solutions by providing a comprehensive security solution. This includes capabilities for static analysis, dynamic scanning, and even penetration testing. However, the cost associated with dynamic scanning and penetration testing may deter some clients from utilizing these features.

I don't have firsthand knowledge of Veracode pricing, but based on client feedback, it seems to be expensive with additional fees for certain features.

I would rate Veracode eight out of ten.

Maintenance is performed by Veracode.

During a Veracode evaluation, consider the following factors: Evaluate the time required for Veracode to complete a scan. Faster scans allow for quicker feedback and integration into development workflows. Consider the overall cost of Veracode, including licensing fees and any associated charges for scans. Assess Veracode's orchestration tools, particularly its compatibility with your existing CI/CD pipeline. Ideally, Veracode should offer seamless integration for easy adoption. Evaluate the availability and variety of connectors Veracode offers for integration with your development tools. A wider range of connectors simplifies the integration process.