Veracode Reviews

We scan various types of software codes, such as codes or applications built in languages like C, Java, Python, PHP, and Ruby, among others. We assess the code quality using Veracode.

Veracode prevents 90 percent of vulnerable code from being introduced into production.

Previously, in our organization, we did not have a dedicated workflow or a tool for capturing code vulnerabilities. After the code passed the testing phase, it was directly implemented in production. However, since implementing Veracode and launching it, we have been able to identify vulnerabilities beforehand. As a result, our code now goes into production without any vulnerabilities. Only after ensuring this, do we allow it to go live.

Veracode provides visibility into application status at every phase of development.

Based on our experience, Veracode quickly and effectively identifies false positives.

Our project teams understand the importance of conducting code scanning in addition to code development and Veracode testing. This ensures that any flow issues are addressed before proceeding to the next phase. It has become ingrained in their approach.

Veracode has helped our developers save time by assisting in fixing the vulnerabilities that could have had disastrous effects if they had gone into production.

Veracode has had a tremendous impact on our security posture, particularly in one region in Asia where Veracode is being used for security testing and vulnerability assessment. Now, other regions, including the US, have also recognized its value and started adopting Veracode.

Static Scanning is the most valuable feature of Veracode.

Veracode's policy reporting, which ensures compliance with industry standards and regulations, is valuable. It would also be helpful to have a specific example that we can relate to in order to better understand it. Currently, the information is scattered, so precision would greatly assist us.

Veracode can be improved in terms of software composition analysis and related vulnerabilities. For instance, when an application team provides us with their software code, we perform code scanning. During this process, we often encounter software composition analysis vulnerabilities that require the application team to upgrade their Java file from version X to version Y. We then communicate this to the application team, and they proceed with the upgrade. Once the upgrade is complete, we conduct a rescan. However, during the rescan, Veracode may identify compatibility issues with the upgraded version Y. This situation puts the application team in a difficult position, as they may be unable to accommodate this change within their project schedule. Therefore, this is an area where I believe Veracode could make improvements.

The technical consultation can be enhanced to effectively address the communication variations among different regions.

I have been using Veracode for three years.

Veracode is 100 percent stable.

Veracode can scale to meet our maximum requirements.

There are cultural differences in the way we communicate with people from different countries. So, when a Japanese person is talking to an American, the rapid conversation provided by the American technical support person may not be easily understood by the Japanese individual. As a result, instead of having just one discussion or consultation with Veracode, we end up having three to four consultations.

Neutral

I give Veracode a ten out of ten.

We are using Veracode in multiple locations and departments.

Veracode does not require any maintenance.

Veracode is an extremely user-friendly tool, operating through a web interface. Additionally, the support and guidance offered by the Veracode team are excellent. Considering all of these factors, I believe Veracode should be the choice for anyone.

We use the solution to scan for and identify vulnerabilities or security issues.

We use a SaaS deployment.

Before releases, we must ensure that all the security issues identified by Veracode are addressed. Occasionally, some false positives may be encountered, but these can be safely ignored. We are usually satisfied with the accuracy of the report as all the important security issues are identified and addressed allowing us to focus on our release sooner.

All the applications that are going to production in our large company are required to pass through Veracode, which provides us with a uniform standard that everyone must adhere to. This standard allows us to ensure the quality of our products before they go to market.

Veracode may not seem to immediately save our developers time, and it may even seem tedious at times. Ultimately, however, it can be extremely useful in identifying issues and vulnerabilities before they become larger problems, making it a valuable resource.

Veracode helped our security posture by checking security gaps in the production environment.

The most valuable feature is the static scan that checks for security issues. We use Veracode for this purpose; we also use the solution for our UI, but for the backend, we only use the static scan. I'm not sure what it is called, but it is one of two scans, the other one being dynamic. We only use the static scan to identify any security issues.

Veracode assists in the prevention of vulnerable code from reaching production by providing a comprehensive review of security risks and comprehensive reports with thorough descriptions of the vulnerabilities. This allows us to address any security gaps in the release. Based on the severity, we should determine the standards for release. We should not have any security issues with a severity of medium or higher before releasing.

Veracode provides us with ultimate visibility concerning security issues. Additionally, we use OWASP, which checks our dependencies to identify any potential weaknesses, but Veracode is the only tool we use to check our source code. With Veracode, we have the capability to recognize any security issues in our source code.

The false positives have room for improvement. Sometimes, we will get false positives, which we mark as mitigated. However, it can be annoying when they come up again in the next release. Every time a new person is doing the work, they may not be aware of the history of the issue. They must then check the false positive again and mark it as mitigated, and it may come up again in the future. False positives can be an irritating and time-consuming issue for developers to deal with. Investigating them can be a waste of time, as they have already been looked into. This can be frustrating for those involved. False positives waste our time and resources.

The zip file scanning has room for improvement. Sometimes when we upload the zip files for scanning, it can take a long time to get the report. This can take up to a day. Unfortunately, even after waiting a day, sometimes we find that nothing happened and we have to start the process over. This is both time-consuming and frustrating, as we feel the system has crashed.

The reports have room for improvement. I believe the reports are thorough but can become overwhelming with unnecessary information that may not be pertinent to the developer. I'd prefer to have customizable reports that allow us to select which elements we'd like to include.

I believe the usability of the UI needs to be improved. For example, when we navigate away from a page, it should remember our last location and take us back there instead of sending us to the homepage. Additionally, it should be easier to navigate between pages without having to refresh the page each time.

Veracode should provide potential customers with better training materials and resources to help them make a more informed decision before purchasing the product. This could include tutorials, demonstrations, more about how the product works, the user interface, the quality of Veracode's reports, and more. It is unclear if these resources are already available, but they should be made more visible if so.

I have been using the solution for over one year.

The report is usually ready without any problems, but occasionally there may be a crash or other issue occurring in the background that prevents it from being ready. This happens about 10% of the time. The solution is primarily stable.

I haven't experienced any scalability issues so far. This is likely because the job is always the same and the files we upload remain the same. We haven't had to change any parameters in the input, so scalability hasn't been a concern.

We used CodeSonar to analyze various aspects of our source code, and we already utilize OWASP to assess the security risks of our dependencies.

I give the solution an eight out of ten.

One of the applications we supported through Veracode is designed for use by travelers of an airline. The application handles everything from searching for availability to obtaining tickets.

The solution does not require any maintenance. I am logging into my organization's portal, from which I have a direct link to access Veracode. I do not need to do anything else, such as create content or install anything.

The most valuable features of Veracode Static Analysis are its ability to work with GitLab and GitHub so that you can do the reviews and force the code.

I have been using Veracode Static Analysis for approximately five years.

The stability of Veracode Static Analysis is good.

I rate the stability of Veracode Static Analysis a nine out of ten.

We have approximately 900 people using the solution.

The solution is scalable, but there is a high cost attached to it.

I use SonarQube with Veracode Static Analysis.

The initial setup of Veracode Static Analysis was reasonably quick.

We did the deployment of the solution in-house.

The price of Veracode Static Analysis could improve.

Sometimes the model that Veracode pushes forward for you to use isn't beneficial. I advise companies to use SonarQube and Veracode together because we use SonarQube for all the individual developers to scan and do their checks and tasks before they do a full peer review to make sure that they have it clean and it's understood. We then use Veracode Static Analysis for repository control because you need fewer licenses. Veracode Static Analysis is expensive and this is why we split the two solutions.

There are extra costs per developer and it can get expensive quickly. They charge approximately $25 a month for each developer that uses it.

I rate the price of Veracode Static Analysis an eight out of ten.

I would advise people to use Veracode Static Analysis in the final levels of deployment. For example, when you used another tooling, such as SonarQube to do the initial tasks with the developers, then for peer reviews it is best to use Veracode Static Analysis for making sure that your repositories are controlled and managed properly.

I would always advise people to deploy at least two tools, one at a lower level to do the peer-to-peer that is cheaper, such as SonarQube because close to being free. Then use something, such as Veracode for the repository control and the management control of your data cubes.

No solution is a hundred percent perfect. I wouldn't rate any solution a 10 because they've all got faults. SonarQube might pick something up that Veracode Static Analysis doesn't and vice versa.

I rate Veracode Static Analysis a seven out of ten.

Manual Penetration Testing is a security tool for static code scanning. It's still in testing, so the client has it in their commercial cloud. As soon as it's federally approved, they'll move it to the government cloud. That's supposed to happen any day now. I think their government cloud is AWS. I believe they're looking at the dynamic piece as well.

I don't have much experience with the solution yet. We're looking at integrating Manual Penetration Testing with JIRA and Bamboo and then building that into a CICD model, so the integration is the most valuable feature so far.

We're still trying to get things operationalized, piloted, and tested. I haven't heard about any problems so far. However, it would be great if Veracode automatically packaged stuff up for you. 

For example, it would be nice if the solution used AI or machine learning to detect what your code was by doing. It could perform the review and decide how to package up the software. You could run it and wouldn't need as much developer involvement.

We've had Veracode in place for about three or four months now.

I haven't heard anything negative about Veracode's performance, and we've had a hundred people test it at one time. We may get to a point where see some degradation, but we haven't yet. 

Manual Penetration Testing looks relatively scalable. We won't know those things until we get a critical mass of people testing all at the same time. We have around four teams that are scanning continuously, or on a fairly regular basis at this point. So.

I'm happy with Veracode's support. We're getting the help we need. I meet with them weekly, and they answer our questions.

We haven't worked with something like this before. This is the first time the organization has picked up this type of scanning solution.

Setting up Manual Penetration Testing wasn't complex. None of these solutions are complicated. You get it, set it up, and run it. It has been deployed. They're already scanning, and more developers are being onboarded. 

We followed the implementation strategy provided by Veracode. One person is probably enough to onboard people and set them up. We need one person to concentrate on the strategy and ensure the systems are set up correctly.

We deployed Manual Penetration Testing ourselves, but we have an arrangement with Veracode to provide the necessary professional services to support us. Consulting is part of the package they provide.

We used it to scan and detected a vulnerability, and they're trying to use it to identify how to fix the problem. That's the only example of an ROI we've got so far. 

I'm not familiar with the costs, but I believe it's around half a million. I'm not sure how it compares to the other solutions, but I assume they're all in the same ballpark. HCL might have been a little less expensive.

I think someone at my company was looking at SonarQube, but whoever did that didn't go forward with a commercial version. I don't know how it would've worked out, and I didn't look at it. There was a community version someone had for years, but it never got the traction. 

Then I looked at HCL, Synopsis, and Cast. Cast is deep but highly expensive. Those were the Cadillac solutions. We went with the SaaS because they did not have anything that was on-premThey wanted something that would be in the gov cloud that we fed ramped and low maintenance on our side. 

I rate Veracode Manual Penetration Testing nine out of 10 for support and ease of setup. If you're considering this solution, I suggest trying it out and taking the opportunity to learn and teach yourself. Take some classes or online training. I found the solution pretty straightforward, and I'm not terribly technical. 

We introduced SCA scanning to satisfy customer-requested open-source library scans as part of a contractional agreement. This led to expanding SCA scanning across our other applications to compliment SAST/DAST application scanning.

We knew we had a technical debt from not updating open-source libraries for years, and were not aware of the vulnerabilities in these libraries at the time. SCA scanning is now a first-class scan component of our current practices and included in our external security audits going forward.

Veracode SCA enables awareness of open-source library vulnerabilities and versions to upgrade and eliminate these problems. It links to SWE flaws and provides guidance on remediation.

The nature of discovering a vulnerability included in many places of the application code base makes initial findings look overwhelming. However, we found more the 80% of the time, simply updating the build project configuration to include new versions, rebuild, and rescan, resolved the vulnerability finding.

The remaining ~20% of findings required refactoring for deprecated methods or a shift in usage model to update to a newer version.

Multiple "Policy" profiles can be created to apply differently to different classifications of applications that include grace periods per severity. I find this a great way to manage team expectations and regulatory compliance on a per-scan and time-period cycle, leading to self-service compliance remediation.

The dependency graph visualization provides the ability to see nested dependencies within libraries for pinpointing vulnerabilities.

The Vulnerable Methods feature helps with sorting through those vulnerabilities that matter to my application codebase.

Three areas that we continue to struggle with are

1. Identifying and flagging false positives that reappear in other locations, where a rule that can catch other occurrences such that we don't have to repeat the override each time would help in productivity, and 
2. Improving sorting through findings reports to filter by only what is critically relevant will help developers focus on issues,
3. Add enterprise aggregate reporting, showing teams grouped in business units with trends per team and at the group level that can be sent by email as a digest with drill-in back to the dashboard.

We have been using SCA for one and a half years and SAST/DAST for two and a half years.

Scanning is reasonably consistent and reliable. Occasionally, a scan will fail or get stuck with a defect in the scanner or some unsupported implementation requiring escalation to Veracode to fix or work-around. 

Platform scan performance has improved over the years. Refrain from putting too much in your application package for scanning such that you keep a reasonably short scan time.

Veracode needs a more standard microservice pricing strategy such that optimizing SaaS solutions into microservices from monolith applications is not penalized. 

Technical support was difficult at times due to off-shore support that seemed to be reading from a script and not really understanding our issue. The time delays in response with the off-shore team and language concerns made resolving issues painful at times.

As we grew, we were assigned a local Security Program Manager as a point person for all escalations and that made all the difference. Our escalations are now taken seriously, with a consultation of the issue and swift resolution if warranted.

We previously use WhiteSource open-source scanning and switched to Veracode for consolidation of scanning tools with one vendor dashboard.

The initial setup for manual scan uploads is straightforward. Pipeline uploads can take some effort to get to work right. Setting up policy rules and charts for results is reasonably easy.

We implemented it through an in-house team. This a Quality Engineering Shared Service team with a part-time custodian that performs other roles, as well. We found the need to have a designated custodian per application scrum team to assure scans capability, and the scan frequency for that team is maintained, escalating any issue to the shared service team and/or Veracode directly, and for shepherding vulnerabilities through the backlog routinely.

We feel that security scanning is a necessary cost of doing business, especially with FedRAMP and other prescriptive certifications. The effort we put into scanning keeps our applications healthier with higher quality confidence.

When our scan pipelines work as intended, there is little human capital cost. If there are problems with the scan pipelines and/or scan results then this can become time-consuming to address.

The Veracode price model is based on application profiles, which is how you package your components for scanning. Veracode recently included SCA pricing and support pricing as a factor of the SAST scan count cost. When using microservices, you may need to negotiate pricing based on actual application counts where microservices are usually a portion of an application.

Synopsis and Checkmarx were explored for SAST/DAST scanning in 2017, prior to the use of SCA.

Veracode has evolved to be a good partner, overall, in working through our learning needs and problem escalations. There are layers of training and consultation available, as well as recurring support engagements if the enterprise scanning needs warrant it.

We are using Dynamic Application Security Testing (DAST), Static Application Security Testing (SAST), and Static Component Analysis (SCA). We use different types of scanning across numerous applications. We also use Greenlight IDE integration. We are scanning external web applications, internal web applications, and mobile applications with various types/combinations of scanning. We use this both to improve our application security as well as achieve compliance with various compliance bodies that require code scanning.

Veracode's cloud-based approach, coupled with the appliance that lets us use Veracode to scan internal-only web applications, has provided a seamless, always-up-to-date application security scanning solution.  

Our Veracode license includes a "people component" that allows developers to request an in-person session to be scheduled to review a defect. This has helped our application security personnel pool to free up time for other pursuits. I'm not sure if this is included in all licenses or is an add-on.

Being cloud-based is a huge plus. All of our scans are always using up-to-date scan signatures and rules, and there is nothing for us to maintain.  Veracode has been spot-on with notifying about planned downtimes for maintenance and upgrades.  In my years of using the product, unplanned downtimes have been minimal (in fact I can't remember one.)

The API integration that allows integration with other tools, such as defect trackers and automated build tools, is also a benefit. We also like the integrated, available "in-person" support sessions to review and ask questions on discovered defects.

We've had one occasion where a sub-product upgrade required action on our part faster than we initially understood it needed to happen.  This ended up being relatively minor.  

One feature I would like would be more selectivity in email alerts. While I like getting these, I would like to be able to be more granular in which ones I receive. 

Separately, I find the results console somewhat confusing.  When you are running multiple scan types for the same application, I've sometimes found it difficult to sort out where issues came from when I need that information.

We have been using Veracode for over four years.

Our solution is highly stable with minimal downtimes.  (In fact I don't recall the last time there was an unplanned Veracode cloud outage that impacted us.)  We previously had occasional issues with the scan appliance model, but the relatively recent switch to the ISM model has been much more stable.

Given that is is cloud based, coupled with their newer app-based internal scan model, we are pleased with the scalability and have not experienced any issues with scale.

As mentioned in prior comments, Veracode is simply put our best vendor in terms of relationship, value-add, and customer service/technical support. We get responsive answers from support, and their support resources clearly understand the product, and issues are resolved quickly.

Yes. We used a legacy, heavyweight dynamic scanning product. It would produce hundreds of pages of (mostly) false positives that were nearly impossible to digest and tune. We also didn't have a static scanning product. Moving to Veracode gave us much higher quality dynamic scanning with very few false positives (in part due to their model of human-assisted tuning, provided by them) and a robust static scanning solution.

The setup was easy and straight forward. We had some issues with API calls from our build automation tools, but this was related to networking issues in reaching the Veracode servers on the Internet, not the Veracode product itself.

We implemented with all in-house resources.

We achieve greatly improved security, earlier detection of security defects in the lifecycle, and as well as neatly meeting compliance requirements.

For the value we get out of it, coupled with the live defect review sessions, we find it an effective value for the money. We are a larger organization.

Checkmarx and SonarQube.

Of all the tools vendors I have relationships with, Veracode is simply our best vendor in terms of partnership, value add, and support responsiveness. 

Veracode is a cornerstone of our Development Security Operations Program, particularly scanning automation and remediation tracking.

We've been able to monitor the release cycle and verify our Security Standards are met by setting policy and ensuring scans are taking place. If a scan fails to meet our standard the build breaks and the flaws are remediated before releasing to Stage and ultimately Production -  where the potential impact is much more costly. 

We have discovered opportunities to make our code even better thanks to Veracode!

Veracode has improved our Application Security program by providing numerous integrations and tools to take our AppSec/DevSecOps to the next level. 

Integrations into our developer's IDE (Greenlight) and the DevOps Pipeline SAST / SourceClear Integrations has particularly increased our time to market and confidence.

In many ways, Veracode has increased productivity, helped build and improve security and development departmental relationships as well as enabling developers to consider and care about application security. 

Greenlight - Developers can test their code before they commit. They are able to privately scan their code and correct any mistakes before it is committed into the build and scanned with the other components.

SAST - During a build process, we have integrated the Veracode Static Scanning (SAST) component which provides an excellent first glance at the code moving through environments.

SCA /SourceClear - Veracode SCA / Source Clear has given us excellent visibility into potential vulnerabilities found in third-party components, packages, frameworks, and libraries.

Improve Mobile Application Dynamic Scanning DAST - .ipa and .apk. Right now I have to jailbreak an iPhone and Root an Android to intercept and fuzz requests with a Burp Suite Proxy.

That is a very time-consuming process and there are lots of dependencies. It would be very helpful if we can upload and .ipa or .apk into a Veracode simulator, provide credentials and run a Dynamic scan accordingly. Fuzzing functionality on API resources, HTTP Methods, and Parameters would also be very useful in testing our Web and API Application Firewalls, response pages, and other WAAF actions.

I have been using Veracode for about two years now.

It seems to be very stable, no problems thus far.

It has lots of growth potential, lots of room for improvement.

Exceptional!

Previously used Burp Suite, OWASP Zed Attack Proxy, Python scripts / Powershell and Batch, Retire.JS, Vulners, and Wappalyzer browser plugins.

The initial setup very straightforward and integrations were up and running in a matter of days after purchase.

Implementation was in-house (Deployment, Automation Engineers, Myself)

Unknown - productivity and time are measurable, possibly as much as 20%. Improvement in cross departmental relations is priceless!

We also evaluated WhiteHat Security.

We're using Veracode Static Analysis for scanning security vulnerabilities.

Once the image is built in the container, we send it to Veracode Static Analysis for static analysis assessment, and the tool scans it. The tool then provides us with information on vulnerabilities in our code and the third parties, then provides recommendations on how to solve vulnerabilities, and that's helpful.

What I found most valuable in Veracode Static Analysis is that it categorizes security vulnerabilities. My company is mainly worried about security vulnerabilities, so it's beneficial that the tool identifies security-related vulnerabilities.

Veracode Static Analysis lacks penetration testing, so that's a concern. The tool is also unable to scan when it's a C or C++ model, so that's another area for improvement.

I've used Veracode Static Analysis for one and a half years, and I'm still using the tool.

I didn't find any stability issues with Veracode Static Analysis. It's a stable tool.

Veracode Static Analysis is a scalable solution. My company has between one hundred fifty to two hundred microservices, yet the tool can scan cost-efficiently without issues.

Veracode Static Analysis has good support. There's a channel where my team communicates with support, raises tickets, then support will give you a call, though there were a few times when support struggled on specific cases.

The IT team set up Veracode Static Analysis, but it's a bit complex.

We deployed Veracode Static Analysis in-house.

We have not reached the point where we see ROI from Veracode Static Analysis because we're still assessing it, but there are so many vulnerabilities. If we fix some of the high-priority vulnerabilities not reported by the customer, and zero them out or reduce them, then we see value from the tool. Those high-priority vulnerabilities are less than manageable because they have multiple levels or layers.

To my knowledge, licensing for Veracode Static Analysis is paid yearly by my company.

We compared Veracode Static Analysis with other vendors, including SonarQube, and went with Veracode because it had more value than others.

Twenty-five to thirty people from the development and QA teams use Veracode Static Analysis, but my company is still learning the best way to reduce the load. There's no plan to increase the tool's usage for now.

Based on my initial analysis, I'd recommend Veracode Static Analysis to anyone looking into implementing it, as it's a good tool.

My rating for Veracode Static Analysis is eight out of ten.