Veracode Reviews

The primary use case for us was looking for web applications that might have vulnerabilities that could be compromised. Specifically, I was managing a team and we had built a lot of applications as well as having purchased applications from vendors. We were working with a security team to go through and scan those applications for vulnerability using Software Composition Analysis. We were trying to avoid situations where somebody could do something that they should not be able to do like get at data.  

The product helped improve our organization by helping us to identify potential problems in applications and fix them before they were used in a way that they should not be. In essence, it helped enhance our security. I think another thing is that it did is it did kind of helped us with the general education level of staff working on the projects. Developers or technical stakeholders specifically were presented with the opportunity to understand things that maybe they did not before.  

We were not doing the training piece of the process when we were onboarding the product, but just adopting the platform definitely increased their awareness and knowledge about potential issues in development and application vulnerabilities.  

One of the best things about the solution is that I think it is kind of easy to get started using it. The pain of adoption is low. Once you got the code scanned, there is a lot of information that you have to plan time to go through and work with other teams to get things resolved or disposition.  

I think that it was easy to get started, but there was also definitely a learning curve in terms of people needing to understand what the reports meant and what to do about the information that they were getting.  

There is a concept called false positives where things might come up as a potential issue but they really are not. In our case specifically, we might get a false positive when a potential vulnerability is discovered through Veracode analysis, but the way that the application is built makes it so what appears to be a vulnerability is not really an issue. Stated a different way, even though there might be something that prevents that particular event from ever happening, the product does not correctly detect the safeguards or the impossibility of the issue arising.  

When a false positive gets reported by the Composition Analysis, it results in more work for you to do than you should have to. There is a lot of information to go through and so some of it is due to those false positives. You either have to do work to eliminate the false positives being identified, or you have to look at the alert and determine that it is harmless.  

As far as what might be added in future releases, more artificial intelligence capabilities would be desirable. I do not know if they have it now. Maybe one example could be to make more focused suggestions or give more information in the reports to locate the cause of the issues. It should be something that improves results over time so that people do not have to do as much work to understand the details.  

I have been using Veracode Software Composition Analysis for probably around three years.  

I would say it is definitely stable. There were no problems with the platform itself. It has been reliable. We never had issues where we needed to call support.  

I think the opportunities for scalability are good because we did not come upon issues that caused us to wonder about its limitations. We have not really pressed to find scalability problems. So my impression is that scalability is good. We did not experience issues due to bottlenecks or anything like that.  

Our group of users contained a mix of roles. It was developers, project managers, testers, information security analysts, and engineers. It was probably a total of around 30 to 40 people.  

For deployment and maintenance, there were really just like a couple of people. There was not a full-time dedicated need for it.  

There were times when we had to deal with support when we ran scans and we were reviewing results. There were times when we needed to either open a ticket or talk to somebody who had some expertise in a specific area. That process was timely and they were responsive. So that was good.  

Veracode actually has a separate subscription that you can participate in that is something like a learning management catalog. I think that the training piece of support has definitely improved over the course of when we used it.  

We did have a different product, but it was a little bit for a different purpose. We were using a different product but complemented the Veracode product. 

The initial setup was pretty straight forward. That is part of it being an easy solution to get started with.  

The deployment started smaller in employing the product to analyze a subset of our applications. It initially was being employed to look at the vendor applications that we had. I would probably say that initial period was about three to six months. That effort was focused on one group and did not really include all of the technical people and developers.  

Once we saw what it could do, it got adopted and we rolled it out to more people. So we kind of employed it in stages. The first part, which was essentially a test period, was three to six months. Then pushing it out for broader adoption in the next part was another three to six months.  

We did not use integrators. We did have the training and we did have professional services in the form of customer support from Veracode.  

I do not remember the licensing costs off hand. I would probably estimate it to be between 50,000 to 75,000 in our case.  

The advice that I would have for people who are new to the product would be to start with a proof of concept. This will help you to see how the product works with your process and people.  

The biggest lesson I have learned from using this solution is that it definitely increased my education on how to prevent application vulnerabilities earlier on and how not to repeat them. It also helped me as a manager to better understand how to guide and coach people.  

On a scale from one to ten where one the worst and ten is the best, I would rate this product probably as a  seven, if I am going back in time. I thought that there was room for improvement, but at the same time, it did what we needed it to do. We got what we expected. So I thought it was good, but I also think there were some additional manual steps or work involved that we should not have needed to do. That is really why I do not rate it with a higher number.  

Veracode helps scan applications for security purposes to ensure they are safe before deployment. The solution is continuously monitoring the security of our infrastructure and workflows. About five people use the solution across our organization. 

Our security posture has improved since we implemented Veracode because our developers have a better understanding of the security risks that may arise due to some actions we take on various projects and tasks. We're more aware of how vulnerabilities can be introduced into our daily work. 

Veracode has reduced the amount we spend to remedy security risks by about 60 percent. Security testing is much easier than before. The time needed to address vulnerabilities can affect the workflows and lead to late delivery of our services across customers. It has helped us to mitigate risks by effectively monitoring workflows. The conditional scanning procedures we previously used have been replaced by modern systematic algorithms.

Veracode saves time and costs because it's flexible in terms of an organization's data requirements. It can provide data intelligence from various work platforms and guidance on the best practices for security mitigation so we can safeguard our data in various work processes.

The solution enables us to establish a strategic policy management infrastructure to monitor the performance of each application periodically and report on the security performance. The dynamic analysis gives us feedback from time to time and performance metrics inside the program interface. 

This platform is one of the most efficient and effective tools for upgrading applications to meet an organization's performance standards and policies. It helps us improve our development because sometimes the coding procedure might not reflect the latest threats. 

Veracode's most valuable aspect is continuous integration. It helps us integrate with other applications so that it can monitor the security process. By continuously scanning our applications, we can mitigate risks that may arise in some workflows. It streamlines compliance, policy management, and reporting on various data analytics. We use it daily to gain insight into our work processes.

The solution is built into our SecOps program. It offers modern policy management, essential support, and analytics features. It's efficient with fast and powerful risk-mitigation tools.

I think Veracode could integrate some advanced technologies to better address new threats as they arise. 

We have used Veracode for about a year.

Veracode has been a stable product. We've had some downtime, but it has performed well overall. 

I rate Veracode support a nine out of ten. Veracode's support team has always been helpful. When we contact them by phone or online chat, they respond quickly with a solution within the time frame established in our support contract.  

Positive

Deploying Veracode was straightforward, and we had help from the vendor's support team. Our deployment team has six members, and the whole process took about three weeks. 

After deployment, the product requires some maintenance. We sometimes face some networking challenges that require repairs, and we need to periodically update some tools.

Veracode is a good investment, and I can recommend it to anyone who is looking for the best security tester. I estimate that we saw a 60 percent ROI this year, and it continues.

Veracode is a little costly. It's cost-effective for a large enterprise, but it may be too expensive for small businesses. 

I rate Veracode an eight out of ten. I would recommend it to others who need to do testing for application performance or security and risk management. 

The main purpose of Veracode is to deliver secure code on time. We use it to test our application security, at the implementation stage to make sure that code is secure. We do static and dynamic testing, as well as penetration testing with Veracode. We also use it for security threat detection for our enterprise applications.

It empowers our developers to fix security issues and achieve desired outcomes. It's a very secure cloud platform and helps us monitor our web sources for any attack. We have been able to completely secure our enterprise software, which is on the cloud, with the solution. Overall, we have been able to reduce the risk factors for our enterprise software. Also, determining security threats to our application happens faster now with the help of Veracode. The benchmarking capabilities against industry standards and the compliance help us a lot.

Veracode also provides a lot of programming language support and different frameworks are available, which enables us to get things into production much more efficiently. Our SDLC has become much smoother and more secure with Veracode.

And it has definitely helped our developers save time. It helps them with future references because, if they write code one time with errors that Veracode finds, the next time they use that as a reference and don't repeat the mistake. In that way, in the continuous development process, a lot of time is saved. It saves us about 20 percent of our time.

We are able to create more applications now, and code more, while worrying less about errors while coding. Worrying about fixing the flaws in an application is completely taken care of by Veracode, so we are able to focus more on creating new code and developing new applications. Veracode has been a great platform for that particular purpose.

We have also found more security vulnerabilities in our code, which has helped us produce much better applications for our end-users. Most of the time, vulnerabilities go unnoticed by humans. Veracode helps us pinpoint the exact vulnerability, what it affects, and it helps us correct it for future reference.

One cool feature is the static code scan, which is very good. 

Also, the dashboards and the threat insights it provides are very good. The dashboards are intuitive and pretty straightforward, but also pretty detailed.

We get good, actionable insights at each stage, including static, dynamic, and penetration analysis, and it reduces overhead for us. 

It also has compliance monitoring and reporting capabilities that I like very much. The compliance reporting is a great feature because there are a lot of different frameworks and channels, and each unique channel has its individual compliance monitoring and policies. Veracode helps us prepare for all the different challenges.

The false positive rate is a gray area. The number of false positives could be reduced a lot. For each good result, we are getting somewhere around 15 to 20 false positives. We expect false positives, but if that ratio could be reduced to a single-digit number for the false positives, that would be much more helpful.

We are spending some manual effort and time on this because it happens sometimes, when we first scan code, that it says there is no threat. And the second time we scan it, it says there is a threat. Those kinds of positive responses make us do double work. If that was better, it would greatly improve our overall efficiency.

Apart from the false positives, I would like to see more plugins and integrations to make Veracode much more user-friendly for developers and users. Any IDE plugins would make our work faster.

My experience with Veracode has been over 12 to 14 months.

Overall, because it is a cloud platform, stability is not a concern. It's quite stable. To be strict about things, the UI can be very slow. There is downtime now then, and I understand why it happens, but I would appreciate it if that happened less.

We are not going to scale it right now. We have about 18 developers and five or six administrators using the solution, and I don't expect that will change for now. But you can purchase more licenses. It's definitely scalable in that sense.

We have it in a single location only and it is used across three or four development teams in our office.

Veracode support is very knowledgeable and very prompt. The Veracode community is also available, which is very good.

Positive

It's only deployed on the cloud. Although I was not a part of the initial deployment, I know for a fact that the deployment can take a long time.

As for maintenance, there are software updates, but apart from downloading the software updates, there isn't any other maintenance required on our side. It's a cloud platform so it self-maintains.

Our ROI is that we have seen a tremendous increase in the overall security of our enterprise software. It has helped us engage better with our clients and our retention rate has increased about 7 percent. We can't pinpoint that directly to using Veracode, but since we started using it we have seen this retention increase.

The pricing is fair. We are planning to renew for the next year.

It's definitely value for money. I would tell someone who is looking at Veracode not to be concerned about the pricing because the value that they will get, for this price, in the market, is very good when it comes to their long-term plans.

If a proof of concept is possible, I would ask you to try it out first to get a sense of what Veracode is before investing. But investing in this tool is very much needed. With security threats, for long-term purposes, the code-level threat detection and code-level error detection are very much needed by any organization.

We use Veracode for static and dynamic code analysis, as well as software composition analysis (SCA). Using it ensures that our products are compliant, and it also provides an external method to assure our customers that our products are free from any flaws, or application security issues.

Our product resides on the Azure Cloud, and we have Veracode access it directly.

Using Veracode has helped to improve our organization in that we now have discipline in terms of periodically scanning our systems. We do this every six months, and it is done to meet our compliance requirements.

We are now at the point where it is integrated as part of our software lifecycle automation. I can't point to a particular example of how it has improved our product, although it has helped in terms of validating our product. Also, it has shown us the competency of our teams.

The certification levels are helpful. They are different levels where I think that five is the highest, and we are at level four. Having that badge and showing that we are compliant to that level helps one's reputation in the market.

The interface is easy to use.

The training lab is not very user-friendly and takes a long time to set up. This is an area that should be improved because we've not used it as much as we should have.

We have been using Veracode for more than a year, since January 2021.

This is a pretty stable product. I would rate the stability an eight out of ten.

I can't specifically speak to scalability because we only engage with them for a single product. However, I do think that scaling might be expensive and is probably something that needs to be negotiated.

The Veracode technical support is very good. They are responsive and very knowledgeable. Every time we wanted to set up a meeting, they responded very quickly. In terms of the instructions that they provide, the details are very explicit and although there's a lot to refer to, we can get what we want fast. We don't get lost in what we need to look at.

I would rate the customer support an eight out of ten.

Positive

We did not use another similar solution prior to Veracode.

I was not heavily involved in the initial setup and deployment, although I understand that it was straightforward. We were able to start using it and scanning our code on day one.

It's all on the web, so there is not much to set up. We just have to configure the access so that the web tool can connect, and it takes it from there.

Except for the Lab component, we didn't have to keep contacting our Veracode account manager.

We completed the deployment ourselves.

There were two people involved. The first was our IT person, and the second was a senior member of the engineering team. There is no maintenance required.

It's too early to say whether we have seen ROI because we're marketing our product and services to newer customers. We haven't had visibility from that perspective, yet.

The pricing is a little on the high side but since we combine our product into one suite, it is easy to do and works well for us. It's an expensive product but we are paying for quality.

We evaluated two or three different products before choosing Veracode. 

The reasons that we chose Veracode were their reputation and ease of use. Also, one of the senior people on the team had previous experience with it.

Another point is that their pre-sales team was very professional. Their discussions helped us in terms of getting to what we wanted.

My advice for anybody who is looking into Veracode is that it's one of the very few solutions that can perform dynamic, static, and software composition analysis.

I would rate this solution an eight out of ten.

We use the Veracode SAST solution to scan the Java, Node.js, and Python microservices as part of our CI/CD pipeline, wherein we are using our CI/CD server as Bamboo, Jenkins, and GitLab CI/CD. 

We have teams for both our cloud pipeline and on-prem pipeline, and both teams use this solution. We are using Veracode to constantly run the internal application source code and ensure the code's security hygiene.

Before, the pentesting was happening at later part of the SDLC. Now, we have been getting early feedback about insights from Veracode, including traction around the application security aspects. Developers keep coming to us and asking the questions. Vericode has built a bridge between the development and security teams, which is something really helpful in an organization.

Veracode has helped us build security training in our clients' organizations.

The solution’s policy reporting for ensuring compliance with industry standards and regulations is very helpful. We use Veracode to scan for vulnerabilities. This help us comply with regulatory standards for the European region. While the policy scanning takes time, it is very good from a compliance point of view.

There are quite a few features that are very reliable, like the newly launched Veracode Pipelines Scan, which is pretty awesome. It supports the synchronous pipeline pretty well. We been using it out of the Jira plugin, and that is fantastic. 

We are using the Veracode APIs to build the Splunk dashboards, which is something very nice, as we are able to showcase the application security hygiene to our stakeholders and leadership. 

We have been using Veracode Greenlight for the IDE scanning. 

Veracode has good documentation, integrations, and tools, so it has been a very good solution. 

Veracode is pretty good about providing recommendations, remedies, and guidelines on issues that are occurring.

It is an excellent solution. It finds a good number of the securities used, providing good coverage across the languages that we require at our client site.

We have been using the solution’s Static Analysis Pipeline Scan, which is excellent. When we started, it took more time because we were doing asynchronous scans. However, in the last six months, Veracode has come with the Pipeline Scan, which supports synchronous scans. It has been helping us out a lot. Now, we don't worry when the pentesting report comes in. By using Veracode, the code is secure, and there are no issues that will stop the release later on in the SDLC. 

The speed of the Pipeline Scan is very nice. It takes less than 10 minutes. This is very good, because our policy scans used to take hours.

Veracode is good in terms of giving feedback.

We would like to see fewer false positives. 

Sometimes, I get feedback from a developer saying, "They are scanning a Python code, but getting feedback around Java code." While the remediation and guidelines are there, improvement is still required, e.g., you won't get the exact guidelines, but you can get some sort of a high-level insights.

Veracode has a little bit of noise. Sometimes you will get a lot of issues, which you just need to triage. While the solution is excellent, it does come with a little bit of noise.

We have been using the solution for a year and a half.

The stability is good, except every month it needs maintenance. So far, we haven't had an outage during UK working hours, e.g., where we are unable access the platform. There were some issues out-of-the-box, but now it's pretty much fine.

More than 100 people are using the Veracode solution in our organization. Mostly, the guys who use Veracode are developers, QA engineers, product owners, Scrum Masters, and some data scientists.

We have a three-person team of security guys who maintain the entire service. The security guys have automation skills and can write the code. We are one squad in a company out of 21 squads. We are a security who helps other development teams with Veracode as part of their DevSecOps.

We have adapted Veracode across three line of our client's business. In the future, we may expand Veracode into more lines of business. 

The technical support sometimes takes 48 hours to get back to us. Some of the support staff are not that great. There is no extra support on Slack channel nor is there a chat. Instead, we just have to wait for an email. They gave us a mobile number, which sometimes doesn't work. Then, if it does, it takes time. The technical support is something that needs to be improved.

Veracode's application security team is very helpful. If we are not getting the answers that we need, this team will come and assist us. For example, we had a call with their application security team who helped us determine best practices. They are good and very professional. 

Their account team is helpful and knowledgeable.

We use the solution’s support for cloud-native applications, like AWS Lambda. We have a cloud pipeline, where some of our microservices functions are getting developed there. Less than five of our squad use this service.

Because of my consulting background, I have used other solutions prior to the use of Veracode. However, Veracode was the first solution implemented of its type. Before Veracode, developers didn't know how they could develop secure software. After Veracode was implemented, developers knew when they wrote code that they could scan it in their IDEs. Also, while pushing a deployment, they can get feedback from the Pipeline Scan.

The initial setup is straightforward. It took us three months to deploy the entire solution across all the squad at our site via Pipeline Scan as well as have the squads adopt it. If you are familiar with security, you can be up and running with the solution in a week's time.

Our implementation strategy was to give the Greenlight ID plugin to all the developers and enable the microservices. Then, we wanted to let the non-human account use the new unlimited account and all the source code. This has helped us in last year and a half, as we have over 150 microservices being scanned by the Veracode platform.

Customer support was amazing during the evaluation phase.

The ROI seems good so far. The client is happy with what they invested in Veracode. Having our developers now think about security is also helping us out.

The solution has reduced the cost of AppSec a little bit for our organization through the automation of pentesting.

We have seen a 30 percent reduction in pentesting. Using Veracode, we can do faster releases.

Veracode's price is high. I would like them to better optimize their pricing. 

Veracode's price is a little higher than other tools. However, they are the market leader.

Micro Focus Fortify doesn't have good APIs. Instead, they are relying on CLI. Whereas, Veracode is more API and DevSecOps friendly. Veracode's scanning time is better than Fortify's. 

It is an excellent solution. I would recommend adopting it. If you come from a security background, Veracode is an easy solution. If you don't come from a security background, the adoption of Veracode will take a bit of time.

Veracode has been integrated with our IDEs. It has been also integrated with our DevOps CI/CD server, which is Bamboo, Jenkins, or GitLab CI/CD. It is all pretty neat and clean. 

I would rate this solution as a nine out of 10.

Application security scanning.

It has helped us identify all the applications flaws, especially with so many open source licenses available to the developers. With this product, it allows you to plug in all those gaps where you may open up the backdoors. This tool has helped us everyday with our goal to plug in all those gaps.

We help make changes from the initial NAS that we sign up with the vendors and any third party who might be involved in our telephone activities. They have to ensure that phone is a standby application and security tool, plus we also make the changes in the workflow for any application. Before it is deployed into operations, it has to have a security certificate which proves that it has a Veracode application security certification on it and all the flaws that have been identified have been removed.

It has several components in that help you identify abilities in the core. It also provides security of different Shadow IT activities in our environment, especially around application development and website hosting.

They are already working on, but we are looking forward to seeing it. We would like the consolidation of all the different modules. This would help, so then we would be able to see analytics and results on one screen, like a single pane of glass. 

Once your report has been generated, you need to review the report with consultation team, especially if it is too detailed on the development side or regarding the language. Then, you need some professional help from their end to help you understand whatever has been identified. Scheduling consultation takes a longer time. So, if you are running multiple reports at the same time, then you need to schedule a multiple consultation times with one of their developers. There are few developers on their end who work can work with your developers, and their schedules are very tight. Therefore, you have the report ready if you want a consultation, then it sometimes takes more than three to four days to arrange a meeting. I feel to wait four days to get a consultation and understand the report around the whatever has been identified is a bottleneck. 

We have not seen any major downtime.

I would rate their technical support as a nine out of 10.

The tech support has been very much on the forefront of contacting customers. They help us by making sure all the processes have been outlined and are being followed. They regularly look with us at the whole platform process. Therefore, they have been quite helpful.

They have an account manager for personal relations between the customer and their technical people. This person takes care of bringing them the right person to address any issues that we have.

Two years back, Veracode was having issues. It was taking a long time to start the application, and we worked with their technical support. They also have been constantly improving the platform.

We did not previously use another solution.

It was a bit complex initially when we started, because we had not been previously exposed to any such tool.

It is a SaaS tool. So, towards the end, we did not have to install anything. We just needed an account for the platform to upload the build. There was an initial issue, because people were not previously exposed to this type of process, and it was something new that they were being asked to do.

It has helped us reduce our overall time to remedy any validity, which can be found after being rolled out and put into production. Though, I cannot give you the number. It is always better to safeguard the environment rather than being hacked or have production downtime. In three years, we have not had any breaches or we seen any reduction in Shadow IT.

It is pricey. There is a lot of value in the product, but it is a costly tool.

The customer should demand better turnaround times for the money that they are paying, especially around the reporting and standing up processes that we need to go through. It needs much more technical information on the platform with a tool that can help with information or have 24/7 support available, then it will be worth the price that we are paying, because right now, we don't have many options. There are not may companies who are in the market for Veracode, who want this type of in-depth analysis and examination. That is why customers, with the money that they are paying, have room for improvement in the scope of the Veracode product. 

I recommend going for a one-year licensing with CA, because currently they are the leaders in this field with more features and a much better turn around time with a cheaper position, but there are a lot of new companies coming up in the market and they are building up their platforms. I suggest just not to get tied up with a long-term commitment, because I have seen with Black Duck that they are almost one-third of the price of the big platforms. Once there are the same features and functionality (or lot better performance) available in the market, people are going to migrate away from this platform. The market is changing so fast, and with the Black Duck acquisition, it is also expected that we may get a solution with a much faster platform with much better service at a cheaper price.

We did a PoC with Black Duck.

I would rate the product as an eight out of 10 for recommend it to colleagues.

I would rate the overall product as a seven out of 10.

It has allowed us to scale and find vulnerabilities much faster than previous manual tools. It has allowed us to educate developers on it to use the consultation calls.

The most valuable feature is the remediation consulting that they give. I feel like any vendor can identify the flaws but fixing the flaws is what is most important. Being able to have those consultation calls, schedule them in the platform, and have that discussion with an applications expert, that process scales well and that is what has allowed a lot more reduction of risk to happen.

I would like to see more technical support for some of the connectors, some more detailed diagrams or run-books on how to install some of the stuff; more hand-holding in the sense of understanding our environment.

They cover a lot of languages already and it doesn't make sense for them to cover legacy languages but I know there is a need for covering legacy languages.

My biggest need, the kind of feature I would want, is more on the technical support side.

In the early years, it was a little less stable but I know they have switched to more of an Agile CI/CD methodology and I have seen a lot more stability since they moved to that methodology.

One of the best things they offer is the scalability. The fact that you can work with it through the cloud means that if you have unintegrated business units, you don't have to worry about having a solution on-prem and having the network connection; you don't have to worry about giving up source code, you are just sending your binary files for most of the applications. So it scales much faster.

The technical support is good. I like the fact that you can email Veracode support. You get a very fast response, usually within the same day. 

If you don't have an SPM, Solution Program Manager, to escalate issues after that - you don't have to escalate a lot of issues, but if you do and you don't have feature - that is where they seem to fall down a little bit. So they need help with their level-2 and level-3 support. They do very well at level-1 and then you need to escalate, sometimes. That is where they need to improve a little bit.

At a previous company, we were using HPE Fortify. We couldn't scale because it was an on-prem solution. Therefore, after five years, we decided to break out of the mold and use a SaaS solution. We were comfortable at the time doing so because we weren't sending source code, for the most part. As soon as we went to a cloud solution we scaled dramatically.

What I look for in a vendor is 70 percent a technical match with the features and benefits we need and for the remaining 30 percent, I look at the culture of the company because, for me, it is a relationship. I want to have a partnership and I want it to feel like a win-win. If they feel like it is a short-term decision, get in get out, I want to know that. I want to be able to talk to them at any time and add service enhancements, feature enhancements, those kinds of things. It's a 70-30 split for me.

The implementation is straightforward in the sense that there are a lot of APIs to integrate, and they have a lot of connectors that do that for you.

HPE Fortify, Checkmarx, IBM AppScan. It really was between HPE Fortify, most of the time, and Veracode. I typically like Veracode because it is a SaaS solution. You have other providers now that do the same SaaS but then it goes back to the relationship and the partnership. I feel that I have that with Veracode.

I would give Veracode a nine out of 10 because it scales incredibly well, they have very qualified people working there who are able to clearly articulate what the problems are when they are talking in a remediation or consultation call. They are very knowledgeable, they are not condescending when they talk to a developer. The tool is very easy to consume. It's not like looking at a menu with 20 pages at a restaurant, it's very simple to digest. They have a lot of API connectors, they cover a lot of languages and it just scales. You can't beat that. Finally, the relationship is great with them.

The solution is used for performing application security processes like source code assessment, dynamic assessment, and SCA.

We sell the product to our customers. We are a vendor.

The SAST and DAST modules are great. The scanning part is also good. It’s pretty easy and convenient to use. Everything is described within the product. Almost everything is available in the community and the guidelines.

Veracode Greenlight scans the code while the developer writes it. It will be beneficial for developers if Veracode Greenlight includes Python.

I have been using the solution for almost one year.

The tool is stable.

The scalability of the product depends upon the pricing. The price is a bit high for a small company. It is suitable for a large company.

Support is very good. The support team resolves some issues within 24 hours.

Positive

I tried a few solutions before using Veracode. Veracode is better because it is convenient to use. The solution’s dashboard and features are pretty good. It is the topmost product among the other tools that I used. It is pretty simplified. Veracode has a lot of options to do authenticated scans. Veracode’s simplified features are helpful for people who use different authentication methodologies.

We are using the SaaS version of the solution. The initial deployment was pretty easy. The CI/CD pipeline has a lot of dependencies, like connecting with Jenkins and Jira. If we directly upload the code to the cloud, we can deploy the product within a single day. If we do it in the CI/CD pipeline, it will take some time.

One person can deploy the product. I haven’t had any maintenance-related issues with the solution. Whatever new vulnerabilities come, they are already updated in the database. Since we are a partner, it will be helpful if Veracode notifies us whenever it releases the vulnerability reports. We cannot always check the portal.

The product’s price is a bit higher compared to other solutions. However, the tool provides good vulnerability and database features. It is worth the money.

Veracode provides policy reporting to ensure compliance with industry standards and regulations. It is beneficial. The product also provides features to create custom policies. Most false-positives cases come under DAST. The false positives depend on the code. Veracode provides around 5% false positives.

The solution shows the vulnerabilities in the code and provides generic remediations for it. We must then search it on Google. The product’s community is also good. Sometimes, the product provides solutions in the community. These solutions work well on the production level.

I have also used the SCA features which help with identifying vulnerabilities in applications's third-party components. The Veracode user interface is so convenient and easy to use. Anyone can run a scan and generate a report easily.

The solution provides absolute visibility into application status at every phase of development. The users can get visibility through the CI/CD pipeline. The time taken to complete the scans depends on how much code is present in a specific application and how big the application is.

Veracode introduced a new module named Veracode Fix, which automates the fixes for insecure software with AI-generated secure code suggestions where the developer does not have to spend time searching and remediating the vulnerabilities. The developer does not have to spend time searching for vulnerabilities. Sometimes, the tool gives a generic recommendation, sometimes specific recommendations. It will be helpful if it always provides specific recommendations. The amount of time saved hinges on factors such as code complexity, the programming language employed, and the developer's proficiency in secure coding. If anyone uses Veracode throughout the entire process of building an application, from the start of development to the final production stage, can result in a time savings of around 30% to 40% when leveraging various security measures of the platform.

Veracode has had a good impact on our organization’s overall security posture. If we choose to take the complete Veracode module, we can have security from the initial step to the production phase. 

I will recommend others to implement the solution. Veracode is in the Gartner Magic Quadrant. It is doing a good job.

Overall, I rate the product a nine out of ten.