Veracode Reviews

The most important purpose of this platform is code security. We are able to scan our code and find security flaws.

Veracode has saved us a lot of time because we have been able to reduce manual processes. We are able to do most things automatically with the platform. It has saved us between 30 and 40 percent of our time.

The main feature, and one of the most important, is the static code analysis. We are able to complete an analysis of the security flaws with this platform. It's very good at helping us find and fix flaws.

The sandbox environment is also one of the features we are using as well as integration with our CICD pipeline, which is very useful. The product is pretty easy to understand, which is quite good.

The policy reporting for ensuring compliance with industry standards and regulations also helps us a lot.

It gives us visibility into application status at every phase. We have definitely seen an improvement in that regard.

I'm pretty new to this platform. I'm going with a trial right now and have been using it for about a month. We have spent most of our time analyzing the code.

It's a stable product.

It is also very scalable.

The support team could be more responsive, and the dependency of users on the support team is too high and should be reduced.

Neutral

This is the first such tool we are using.

The initial deployment was not very complex. It took us around 15 days because we were trying to understand the policies and many other things. Our team has 15 people and everyone was involved in making some decisions regarding the solution.

We have only needed help with the product itself. That's what we have reached out to their team for. But there hasn't been any maintenance of the product for us.

The pricing is a bit high. Although we are in a trial phase, if we are going to make the decision to purchase the software, the pricing is going to be high for us.

We are able to justify the false positives because security flaws are one of the biggest things that Veracode's features help us with.

Overall, the product is good. It has made a very good impression. There are some flaws, as I have mentioned, but overall it looks very good, with the features I've mentioned. The impact on our security has been good. The main challenge for us will be the pricing, but if we ignore that factor, the impact has been very good and we would definitely implement Veracode.

I would suggest having a look at Veracode. Go for a trial of the system to see if Veracode is something that can help solve your problems. Pricing should be ignored because there are definitely some very specific features that help a lot. 

We are developers who utilize Veracode for the static and dynamic scanning of our applications.

Veracode provides both us and our customers with confidence that our applications do not have any issues by helping to prevent any vulnerable code from being deployed in production.

Veracode has helped us improve the way we conduct static and dynamic code testing in our organization. Based on the reports we receive, we can quickly identify what needs to be fixed immediately after the scan. For minor issues, we are given time to address them after moving into production, but for major issues, the application is unable to enter the production phase.

We utilize Veracode for static and dynamic code scanning in our software configuration and lifecycle management. It is integrated as part of our pipeline, allowing the code to be automatically scanned in the background. This enables us to review the reports promptly.

The information provided by Veracode enables us to easily rectify vulnerabilities in the workflow.

Veracode can help our developers save time, depending on the issue and the age of the application.

Veracode saves time by automating the basic tasks that were previously performed manually.

Veracode has had a positive impact on our security stance and has empowered our customers to confidently migrate their applications to the cloud.

The static scan and the detailed reports, which include issue information and permissions, are the most valuable features.

Veracode does not support scans for .NET Blazor server applications. We encounter errors whenever attempting a scan. I would appreciate it if Veracode could incorporate support for these applications.

I would like Veracode to offer code support for the latest releases of .NET whenever they are released by Microsoft.

I have been using Veracode for over one year.

Veracode is stable.

The technical support is helpful, but they operate on their own schedule, so in certain instances, we have to endure a considerable wait for a resolution.

Neutral

I give Veracode an eight out of ten.

Our customer provides us with a Veracode profile account for uploading and testing code. We do not manage the solution or have any insight into how it is deployed.

I highly recommend Veracode for assisting in identifying vulnerabilities in code.

I have learned that Veracode can confidently scan and detect vulnerabilities in code. However, for older or unsupported applications, we need to seek an alternative solution.

We use Veracode Static Analysis in the IDE for our engineers to be able to catch security issues while they're coding. Additionally, we use it for the Veracode verified program to show that we're scanning and compliant, and we get the third-party seal of approval.

It's a scanning security, static analysis code scanning software.

Veracode Static Analysis has benefited our company because we are catching potential security issues earlier in the pipeline. Before anything goes to human code review, Veracode Static Analysis catches issues as the engineer is working in their IDE.

The most valuable feature of Veracode Static Analysis is the scanning.

Veracode Static Analysis can improve the false positive. There are always improvements that can be done to the false positive rate. There are some things that get flagged that are not an issue. However, it is not a huge concern.

I have been using Veracode Static Analysis for approximately 18 months.

Veracode Static Analysis is stable.

We have got 5 million lines of code and it hasn't choked at all but seems to run just fine.

We have approximately 40 users and most of those are frontline engineers. Additionally, we have security officers who use it to run reports and team leads that use it for training. We plan to increase our usage when we have new deployments.

I rate the scalability of Veracode Static Analysis a ten out of ten.

I have not used the support from Veracode Static Analysis.

We used HCL AppScan prior to Veracode Static Analysis.

The deployment can be done in approximately 10 minutes. We use Bitbucket Pipelines and Veracode Static Analysis is integrated into our deployment pipelines.

I rate the initial setup of Veracode Static Analysis an eight out of ten.

We did the deployment of the solution in-house. We typically can do the deployments with one person.

I cannot say we have had a return on investment because we haven't had any security incidents, but we didn't have any before using Veracode Static Analysis either.

The price of Veracode Static Analysis is expensive. There is an annual fee to use the solution and the company is upfront with the pricing model and fees.

I rate the price of Veracode Static Analysis a three out of ten.

We evaluated Checkmarx and Synopsys before choosing Veracode Static Analysis.

My advice to others is if they use Veracode Static Analysis they are using a very solid solution. You get what you pay for. It's an expensive solution, but it's very good. You're going to save a lot of time and a lot of headaches with fewer false positives, but you're going to pay for it. It's good if you want to automate something into your pipeline and it's going to run fast and give you good results. I would choose Veracode Static Analysis, but be cognizant of the cost.

I rate Veracode Static Analysis an eight out of ten.

Application development and secure code development.

We do automated scanning, so we use it as part of our development cycle. We do both automated security scanning as well as our own automated testing. We run the two in parallel and treat both outputs of, let's say, a sales functionality test. A security vulnerability is just a defect that needs to be resolved before we release the product.

We do an automated upload to the Veracode platform for all of our applications - we have about 35 applications. For all of them, it's automatically done, pre-configured, pre-compiled, based on scripts that we worked out with Veracode. And then on a scheduled basis, the upload and scanning is done, in some cases, twice a month. In some of our applications, two to three times a week, we just constantly scan and look for exposures, and continue to feed that back to the development team and make sure that they don't release product that's not ready for market.

We have found that our developers have become a lot more knowledgeable about how to develop secure code, and that was very important to us. We also became more knowledgeable about vulnerabilities in the market, which are the most critical to address. You could say it helped us to apply the right investment in the right place.

In terms of best practices and guidance, we do quarterly reviews with Veracode, where they're analyzing our information alongside of us and providing feedback to our executive team to suggest strategic changes in certain approaches. We've also done benchmarks with them, where we've compared our maturity model to the industry's model, as far as security practices go and best practices for security and such. In some cases, we've made adjustments to improve, and in some cases we are confident we're ahead.

Regarding our customers, for one, they can move to market faster, we can move to production faster. Also, we discuss our security program and the software development life cycle with them in pre-sales discussions, post-sales discussions, implementation approaches. What it does is, it gives them the confidence to move ahead in a more direct fashion, with one less headache for them to worry about.

• The static scanning of the software is very important to us.
• The ability to set policy profiles that are specific to us. 
• The software composition analysis, to give us reports on known vulnerabilities from our third-party components.

It's really hard to criticize something that has become somewhat seamless for us. If they wanted to expand their capabilities into other areas of security, that would be fine. They're a very knowledgeable group of people. We do meetings with them on a pretty regular basis. We gain insights from their perspectives.

To me, if they just broadened their footprint into the areas that their feet feel comfortable going into, we'd have no problem pursuing that.

No issues with stability.

None.

Tech support is very effective. We can do online requests for read-outs with their tech support - but the more common support would be for security advisory, when we're looking at certain vulnerabilities that we're struggling with how to remediate. We can get online with one of their security engineers, and they provide advice to us some best practices on making the code changes to secure the system. They do a very good job of that.

Prior to working with Veracode, we used a self-applied application. That is, we had the solution on-premise, but just could never quite get the routine approach that we've developed with Veracode. The program management features that Veracode offers to help us get our program up and going, along with the low false-positive rates that their solution provides - versus what we had done in the past - gave us some immediate traction. I think that we were able to make progress in the first five or six months working with Veracode, that we had not made in four or five years with previous approaches.

It was a dynamic scanning solution but, again, it was on-premise. Veracode is a cloud-based platform, where they manage all the back-end, and they do a lot of analysis during the scans, and they do a lot of post-scan reconciliation, where the other solution was a good solution, but all of that work fell upon us to do for ourselves. Our focus is on developing features and functions for our application, and running an application security platform in-house is just not practical, just not our core competency.

It was straightforward. We went from signing a deal on December 30th, to performing that first scan on January 5th, to completing that scan and starting to remediate issues on about January 15th. And that is one of the fastest wrap-ups of any technology that I've been associated with.

By implementing Veracode in our development process, what we've done is cost avoidance, not necessarily savings. By getting ahead of it, and releasing product to the market that's more secure, we have very few, if any, reported issues by our customers. So we don't have to go and do a maintenance repair of those. That's an avoidance of cost. 

It's a pretty accepted standard that if you release a vulnerability or a flaw into the market, it's going to cost you 10 times more to address it after the fact than if you prevent it. I'd say that that, plus the automation of the scanning, has also reduced the amount of capacity or full time equivalence we have to apply to repair and scan.

As I said, we have 35 applications, and instead of having 35 different people preparing their packages for upload and scan, it's automated. We don't have to spend money doing that as well. 

So avoiding the cost of releasing vulnerabilities into the market that get caught by customers and reported back, is a big one; and then, reducing the investment of performing the continual scans.

We're very comfortable with their model. We think they're a good value.

We worked very closely with Veracode on understanding their license model, understanding what comprises the fee and what does not. With their assistance in design, we decomposed our application in a way where we are scanning a very significant amount of code without wasting their capacity and generating redundant reported issues. You scan in profiles, per se. And we work with them, in their offices, to design the most effective approach.

So the advice I would have for customers is, you can get up and live fast, but work closely with Veracode to refine the method you use for scanning and the way you compile the applications. There's a concept called entry-point scanning, and that's probably not used well by the rest of their customers. We see our licensing as a good value because we leverage it heavily. I'd say many customers might not quite go to that level. But that's their choice.

I'd rather not give out competitor names.

But the method we were using in the past was what is called dynamic scanning, or DAST. That required we have an environment that was up and running with the application, and then we could proceed to scan. You can see that if we have 35 applications, that means we've got 35 environments running our application internally, just for scanning purposes. That's a lot of hardware, whereas this methodology uses static scanning, where we upload the compiled code and we don't invest any hardware in doing that. The scanning capability not only does the scanning but contains the application code for us. There are a lot of complexities with trying to do a dynamic scan on-premise, versus a static scan on a platform.

You almost can't compare the two. False-positive rate in the dynamic scanning was very high - 30 percent, maybe - and the false-positive rate for the static scanning is very low - maybe two to four percent. That is a significant value, because you don't have to spend a lot of time sorting through reported issues to determine if they're valid or not. We're pretty well assured that as we start investigating one, it's more than likely valid. We don't have that doubt entering in.

It was a different approach. Two concepts: 

1. That it is a cloud-based solution, which is very valuable to us, we don't need that hardware running our scans and hosting the environment to be scanned.
2. The technology, the static scanning versus dynamic scanning produces a much better result, a more accurate result.

We recommend Veracode to colleagues all the time.

I'd give the advice of not getting hung up on trying to compare the static scanning to the dynamic scanning, that's number one. Don't even compare them. If you're doing neither, do statics first. It'll get the majority of your exposures addressed. Then you come in, in a second round, and do dynamic. Dynamic really becomes more of a confirmation of security.

The other piece of advice I'd give is to "follow the directions." Make sure they understand how they're supposed to compile code. Take the advice of the program management team with their code, and follow their lead, and you'll come out in a very good position very quickly.

I'd give Veracode a 10 out of 10 because the rate at which we gained control of our security posture, from a development perspective, was fast. There is a lack of wasted time on our developer organization in chasing down erroneously reported vulnerabilities. The erroneous reported vulnerabilities is very low, and that means that our developer time is very effective as we investigate a reported issue. As I said, it's 96, 98 percent probability it is real. So our developers gain confidence and don't second-guess the results. 

The level of detail that we are provided for a given vulnerability - the data path that it follows, the precision with which the justification is provided - is very high. Again, you're highly confident in the result. You are provided a tremendous amount of detail about the vulnerability it found. And the rate at which you can ramp up and be productive is very fast.

We use Veracode for security scanning purposes, and our security services team has developed the logic. We create the pipeline and run the Veracode scan for particular microservices. My role is to run the Veracode pipeline and to see all the detailed reports. Once the scan is complete, I download the Veracode report and share it with developers.

We have multiple environments, and all entities use the solution. We have approximately 1000 users.

The best feature is definitely the detailed reports. It provides code-related queries in the order of high, medium, and low depending on what we need to do. Veracode is user-friendly as well.

It provides all the details to prevent vulnerable code from going into production. The Veracode scanning report shows where we need to create security and how to encrypt usernames, passwords, or other details. It's very helpful from an application security perspective.

With this solution, we have visibility into application status at every phase of development including static analysis, dynamic analysis, software composition analysis, and manual penetration test throughout our SDLC. It is helpful for our DevSecOps processes because we get all the details before going into production. We can then talk with the design team and developers to fix any issues before going live.

Veracode helped to improve our ability to fix flaws.

It also saved our developers' time by 50% to 60%. Before going live, we always integrate Veracode with our application's bill pipeline. Instead of resolving issues once it is live, we can fix them beforehand.

Searching for applications in Veracode is a little bit difficult. We have to minimize the length of an application's name to 47 characters. It would be good if this limit could be increased so that an application's name can be properly reflected in Veracode.

My organization has been using Veracode for four years, and I've been working with it for two years.

Veracode is a stable solution.

It is a scalable solution.

Veracode's technical support is good, and I'd rate them a nine on a scale from one to ten.

Positive

Overall, I'd give Veracode an eight out of ten.

I am a software engineer, and one of my clients needed Veracode for security requirements. We needed to send the code through some security tools to see if there are breaches or malicious code that could attack the company. In this case, the client used Veracode to scan third-party libraries from our application. Veracode was running on a private cloud using Azure. 

Veracode helped us prevent possible security breaches. The team can anticipate and correct issues earlier instead of waiting for someone to find the issue or discover it when your application is attacked. 

The report is good because it has lots of security information. It isn't related to the code itself, like the line of the code or the connected library that contains an issue. It's sometimes difficult to figure out how to solve that.

Veracode saves time in the development process because we can anticipate security issues in an application. On the other hand, from a software development perspective, it could be a technical increase in depth. After we develop a feature in the application and run Veracode, we might find some security issues we need to fix. 

For example, we spent a month building a feature on an application, but during this month, Veracode found a security issue in the third-party library we were using and reported it. If we had found the issue mid-development, we would need to rebuild the solution. Sometimes, it might increase the technical depth of the application because this type of security flaw was not found previously in our daily work. 

Veracode creates a list of issues. You can go through them one by one and click through to a new window with all the information about the issue discovered.

We waste a lot of time figuring out which results are false positives, and it has affected our trust in the tool. After we've spent time training and setting up the tool correctly, we need to scan our code and remove all the false positives. Finally, it's good enough to identify our security issues.

We get some false positives with JavaScript languages like React, TypeScript, and Angular. The problem is rooted in the build process of JavaScript, not the code we are using. This is something we spend lots of time trying to resolve. When we point to a specific library and review that on the code, we can see it is a part of the build that isn't going into production. It's only a part of the build because JavaScript has a different build process. 

This hasn't happened in .NET or C# because we use can all the libraries used when coding. In JavaScript, it's tough, and we spend tons of time trying to find the issue. However, it's not a problem because it's a pre-compiled language. This isn't unique to Veracode. Black Duck does the same thing.

Maybe Veracode could automatically detect the language type first and improve the way it scans JavaScript to reduce the false positive rate for this specific language. Also, in the reporting area, it could connect to the source code Veracode uses for the third-party library.

When Veracode finds security issues, it creates a report with the number and description of the issues. Sometimes, we are not able to connect that issue with the third-party library containing the code and applications the developers are building. The relationship between the flaw in the code and the third-party library could be more apparent because developers may not realize that the root cause is the library, not the code itself. 

The compliance features are good, but it's pretty picky in terms of what it considers a security issue. I and the other developers struggle to understand what is flagged as a security vulnerability. If you can see a security issue in there, you can see all the documentation, but it's difficult to relate that to the code to determine why the issue happened. It could be clearer how to find the issue in the structure of the code. 

I'm not using Veracode anymore, but I used it for eight months in the last year. 

Veracode is stable overall. When we start the process on the Veracode side, the report generates in less than a minute, and we can see the issues. I don't have any problems with stability.

I used a tool called Black Duck when I worked for another company two years ago. The client chose to use Veracode. It wasn't my option. 

We put Veracode in our pipeline, so the process runs automatically during development. It isn't something we can run manually. There are scripts that run when we start. There isn't any maintenance on the developer side. A designated team takes care of all this.

I don't think we've seen a return on this, but it's hard to calculate because you have to estimate the value of a breach that hasn't happened. This is the main benefit of using this tool. I don't know how to measure that.

I rate Veracode eight out of 10. It can help you improve your security by identifying and preventing issues faster. At the same time, you should know that using Veracode will lengthen the development process because the team needs to check and correct issues. It could increase your development costs. 

Using Veracode has challenged us to be more conscious of security. Sometimes, developers just want to build code. This tool allows you to check if the code or libraries are secure enough to add. 

We use it to scan our biggest applications, our bread and butter. We've got a lot of developers using it in our organization, and we've got quite a few applications using it as well.

The solution has helped with developer security training and has helped build developer security skills. It has definitely opened their eyes and made them more aware of things they should look for. I try to get my developers to go to the Veracode seminars if there are new things to learn or if Veracode has made an improvement or they're going to announce something new. They have participated in those quite often, a few every month.

One of the features they have is Software Composition Analysis. When organizations use third-party, open source libraries with their application development, because they're open source they quite often have a lot of bugs. There are always patches coming out for those open source applications. You really have to stay on your toes and keep up with any third-party libraries that might be integrated into your application. Veracode's Software Composition Analysis scans those libraries and we find that very valuable.

We like their Dynamic Analysis as well. They changed the engine of the Dynamic Analysis and it does a better job. It scans better.

We use the solution’s Static Analysis Pipeline Scan. It's really good for assessing security flaws in the pipeline. Sometimes my developers have a hard time understanding the results, but those are only certain, known developers in my organization. I typically direct them to support, especially if I cannot answer the question, because I have full confidence in that process. 

The speed of the static scan is good. Our bread and butter application, which is our largest application, is bulky, and it's taking four hours. That's our baseline to compare the Static Analysis Pipeline and its efficiency. If that's only taking four hours, I have no doubt about our other applications and the solution's static analysis efficiency.

The solution’s policy reporting for ensuring compliance with industry standards and regulations is really good as well. We're a state agency and we always look to be NIST compliant. We're always looking at the OWASP and CWE-IDs, and Veracode does a really good job there. I've used it often in trying to get my point across to the developers, telling them how bad a vulnerability might be or how vulnerable the application is, based on a vulnerability we may be finding. 

If Veracode was more diversified, as far as the number of platforms and the number of applications it could do in our favor, we would be using it even more. But there are a number of platforms it doesn't support. For example, I know they support C+, .NET, and Java, but there are certain platforms they don't support and that was disappointing.

They have a pretty unique process to get guidance. It's not like you send them an email. You could do that, but if you want to set up a consultation call, you have to go to the website and give them a certain amount of detail so that they can study the problem and the detail and be ready to meet with you. It's not as simple as doing an email. You have to go to their website and you have to click on the "consultation" button and pick a time to talk with an engineer. Sometimes an engineer is not available for quite a while. You have to wait at least a couple of days before you can meet. Having to wait for two days is not that efficient. You should be able to set it up within 24 hours.

And regarding announcements from Veracode, I've tried to get them to let my developers know directly, and I'm not sure if that's happening. I want to tell Veracode to make sure that happens. I don't want them to send an announcement to me and then I have to disseminate that information to my developers. I want it to go directly to them. They've got the developers' names and emails in their database so those announcements should go directly to them.

I believe the company got Veracode at the end of 2012. However, my association with Veracode has only been since about the end of 2014. So we had it for a couple of years before I got my hands on it and then I gradually started to use it and implement it to the point where it's at right now. Early 2016 is when I began administering it. I do other tasks, so it's not my full-time job. Veracode is just one of many hats that I wear. Nobody else administers it with me in our company.

Veracode support is really good. I get a lot of help from them. I've been on a few calls with my developers and they're very competent engineers. If they don't have the answers, they'll get back to you.

I feel that management would not approve it if we were not getting our money's worth out of it. We have definitely seen ROI from Veracode.

Going forward, though, what may bring that into question is our transition to the cloud. We're not getting any benefit from those applications in the cloud. I think that should be addressed sooner rather than later.  We're moving to the cloud more, and for our applications in the cloud we usually only go with FedRAMP-certified cloud vendors. So we're not actually even scanning those applications in the cloud with Veracode. Not all our applications are there, but close to 30 percent of them are there now.

And they have to address not being compatible with certain platforms that we use. That has to be addressed because the ROI question may be coming up sooner rather than later.

The solution is very pricey.

The product is very good, very reliable, and they've made a lot of improvements to the dashboards and the reports. They've made the product easy to use. There used to be a lot of things that you had to search for and maneuver to dig deep down for them, but you don't have to do that anymore. Many of the things are now at your fingertips, including performance reports. Those things are easy to get to. 

I helped customers to build and start the journey of SecOps with Veracode.

Veracode helps to know and prevent vulnerable code or applications from being deployed. We can scan, consume reports, and fix vulnerabilities before deploying an application.

It is very good for ensuring compliance with industry standards and regulations. We can have many dashboards and reports related to policy management.

Veracode provides visibility into application status at every phase of development. We can have many analytics dashboards and reports, and we can build a custom dashboard to have this visibility. This visibility is essential for DevSecOps processes. We need this visibility and information to have a strategic approach and mature our security.

Veracode has the lowest false positive rate in the market. Its results are accurate. In some cases, it is very difficult to see a false positive. We report it to the engineers, and they analyze it. If it is truly a false positive, the engineers will update the engine to provide better results at the next scan. The false positive rate of the static analysis has not affected the time we spend on tuning policies.

It has had a very good effect on our organization’s ability to fix flaws. We are developing a new feature, and Veracode will help to quickly fix any flaws.

It has helped our developers save time, but I do not have the metrics.

All features are valuable. I especially like SAST and ADO.

It is scalable and quick to deploy into the site and the pipelines. The reports and analytics are good, and the false positive rate is low. It gives true results.

There should be more APIs, especially in SCA, to get some results or automate some things.

I have been using this solution for almost three years.

It is very stable.

It is very scalable. I help other companies to deploy. Some of them are small, and some of them are big.

Their support is good. I would rate them a nine out of ten.

Positive

I have not used any other solution previously. I have only worked with Veracode.

It is a SaaS solution. Its initial setup is straightforward. I started with the most critical applications and automated the scanners inside the pipeline. After getting the results, I aligned the security policies. I prioritized the most critical vulnerabilities and assigned these reports to different groups and teams. I also integrated the other plugins into the IDE.

I implemented it myself. I work with DevOps and security teams. In some cases, I also work with developers.

It does not require any maintenance. Because it is a SaaS solution, the maintenance is provided by them.

The ROI is in terms of time savings and mature security. When you deploy a solution like Veracode, you can have these quickly.

It reduces the cost of DevSecOps for the organization when you use it for more than one year.

Its pricing is fair.

It is essential and perfect for preventing vulnerable code from going into production. Nowadays, it is very important and sensible to have a solution like Veracode to know all the vulnerabilities and manage and prioritize the ones that are more critical and better for security posture.

I have not used the Software Bill of Materials (SBOM) feature much, but it is easy to create a report using the SBOM feature. It is important for the supply chain that your software uses.

I would rate Veracode a nine out of ten.