What is our primary use case?
We use it for code analysis to see if there are any vulnerabilities in the code. I'm heading a startup for this, and I have a development team of about 14 people. They upload the codebase to Veracode, run an analysis, and take the results. If there are any vulnerabilities, they fix them.
How has it helped my organization?
It reduces security vulnerabilities and increases our security level. It has been helpful in reducing our security debt.
Having a centralized view for our developers and security professionals is very important. If there is anything in the cloud or infrastructure, we need to know proactively. Otherwise, we wouldn't know when there is a security compromise. So, we have to be prepared so that if something happens, we know where to go and stop it. It is not always about fixing and making your code zero percent vulnerable. That doesn't happen generally, but you need to know the areas where something can go wrong. If those areas are your critical systems or critical data security parts, you can act accordingly and quickly.
The centralized view has improved the visibility into the status of our application code. This visibility is very important because we need to know the condition or status of our codebase.
Scanning with the solution has increased our fix rate, but I don't have the metrics. It has also helped to increase the productivity of our security and development teams.
What is most valuable?
It is a good product for creating secure software. The static code analysis is pretty good and useful. The mitigation recommendations provided by the scanning engine are also pretty good.
What needs improvement?
From the usability perspective, it is not up to date with the latest trends. It looks very old. Tools such as Datadog, New Relic, or infrastructure security tools, such as AWS Cloud, seem very user-friendly. They are completely web-based, and you can navigate through them pretty quickly, whereas Veracode is very rigid. It is like an old-school enterprise application. It does the job, but they need to invest a little more on the usability front.
From the pricing perspective, it is not very convenient for startup organizations. They should have options to onboard it for the startup ecosystem quickly and affordably.
There should also be strengthening of the developer community.
For how long have I used the solution?
I have been using this solution for almost a year.
What do I think about the stability of the solution?
I didn't find any errors. It is available and stable. I didn't have any issues with it.
What do I think about the scalability of the solution?
Its flexibility is very less. It is a very rigid application. Currently, we have six users of this solution in our organization.
How are customer service and support?
I interacted with them once. They were very good. They were very friendly and supportive. I would rate them a seven out of ten.
How would you rate customer service and support?
Which solution did I use previously and why did I switch?
We didn't use a different solution previously. The company started just a year ago.
What's my experience with pricing, setup cost, and licensing?
For enterprises, Veracode has done a fairly good job, but its pricing is not suitable for startups. The microservice distributed architecture for a startup is very small. I had to do a lot of discussions on the pricing initially. I previously worked in an enterprise organization where I used Veracode, and that's how I got to know about Veracode, but that was a big organization with more than a thousand employees. So, the cost is very different for them because the size of the application is different. Its pricing makes sense there, but when we try to onboard this solution for the startup ecosystem, pricing is not friendly. Because I knew the product and I knew its value, I onboarded it, but I don't think any other startup at our scale will onboard it.
Its pricing should be based on the size of the application or organization. For a startup organization, they can provide credit-based pricing. They don't need to reduce the price. AWS, Google, and other vendors do the same where they don't reduce the price, but they give credits. I have been in the industry for 15 years, and I have seen that people don't like to change technologies for many reasons. For the first year or the first 18 months, customers can explore the product completely free. If the first year is free and you are onboarded, you would stay with it if it does the job. If the product is doing its job and adding security value, there is no reason to change it in the second year, and you are also ready to pay because, in the first year, you have tested that it is working fine. A company that has used it for the first year would definitely need it in the second year because they keep adding code to the codebase. Another option is that, like Cloudflare, they provide a very slashed rate. Cloudflare onboards everyone at a very cheap price, but when you start exploring the actual use cases, they start adding.
What other advice do I have?
It is a good product, and you should consider it, but it can be elevated more for startup culture. It should be more pricing-friendly and user-friendly. There should also be strengthening of the developer community.
We are only doing code analysis with it. For manual penetration testing, we have to contact an entity.
It hasn't reduced our scan time. It also hasn't helped our organization with certification and audits. We're a small startup, and at this time, we don't have audits, etc. We might do that later.
I would rate this product a six out of ten.
Which deployment model are you using for this solution?
Public Cloud
If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?
Amazon Web Services (AWS)
Disclosure: I am a real user, and this review is based on my own experience and opinions.