Veracode Reviews

The most important purpose of this platform is code security. We are able to scan our code and find security flaws.

Veracode has saved us a lot of time because we have been able to reduce manual processes. We are able to do most things automatically with the platform. It has saved us between 30 and 40 percent of our time.

The main feature, and one of the most important, is the static code analysis. We are able to complete an analysis of the security flaws with this platform. It's very good at helping us find and fix flaws.

The sandbox environment is also one of the features we are using as well as integration with our CICD pipeline, which is very useful. The product is pretty easy to understand, which is quite good.

The policy reporting for ensuring compliance with industry standards and regulations also helps us a lot.

It gives us visibility into application status at every phase. We have definitely seen an improvement in that regard.

I'm pretty new to this platform. I'm going with a trial right now and have been using it for about a month. We have spent most of our time analyzing the code.

It's a stable product.

It is also very scalable.

The support team could be more responsive, and the dependency of users on the support team is too high and should be reduced.

Neutral

This is the first such tool we are using.

The initial deployment was not very complex. It took us around 15 days because we were trying to understand the policies and many other things. Our team has 15 people and everyone was involved in making some decisions regarding the solution.

We have only needed help with the product itself. That's what we have reached out to their team for. But there hasn't been any maintenance of the product for us.

The pricing is a bit high. Although we are in a trial phase, if we are going to make the decision to purchase the software, the pricing is going to be high for us.

We are able to justify the false positives because security flaws are one of the biggest things that Veracode's features help us with.

Overall, the product is good. It has made a very good impression. There are some flaws, as I have mentioned, but overall it looks very good, with the features I've mentioned. The impact on our security has been good. The main challenge for us will be the pricing, but if we ignore that factor, the impact has been very good and we would definitely implement Veracode.

I would suggest having a look at Veracode. Go for a trial of the system to see if Veracode is something that can help solve your problems. Pricing should be ignored because there are definitely some very specific features that help a lot. 

I'm using it to troubleshoot and know the issues in my code and resolve them as soon as possible.

Veracode helps me to understand and resolve vulnerabilities in my code. It's very good to have, and what's most interesting is that the Veracode Greenlight gives me real-time output and resolution. I can also schedule calls with the security experts for any resolution. It's good for understanding and resolving issues that my code might have.

Veracode definitely helps in creating a secure environment for both the company as well as the clients. Our clients require their data to be secure. They also require a stable solution. Veracode is helping me in developing a good product. It provides full information and also helps in a quick resolution.

Veracode is secure, and it has coding standards. It helps me in penetration testing and application security consultation. It exposes common vulnerabilities. The static scan is very good, and it gives me valuable information and a very good recommendation of how I can fix it.

We can integrate Veracode for both static and dynamic analysis to reduce the risks in the application and prevent vulnerabilities. A significant benefit is that you have a risk-free code. It minimizes the risks.

It gives visibility into the application status at every phase of development. There is Veracode Static Analysis, Dynamic Analysis, Software Composition Analysis, and Manual Penetration Test throughout SDLC.

Veracode has been very important and helpful in creating stable products because we are able to identify issues in the code and then create powerful and stable products for clients.

Veracode provides all details regarding the issues and the way to resolve them. It makes it easy for me as a developer to understand the issue in a better way. It improves a developer's confidence in the solution when fixing vulnerabilities.

Veracode has saved a lot of our time. It has saved us about 45% time.

Veracode has enhanced security. We are able to identify what is missing and what are the issues in the code. When we know that the code has an issue, we are able to make sure that we correct it. Veracode has helped us a lot in providing a stable, secure solution to our clients.

Veracode has helped us to develop faster because it's so straightforward. It has clear documentation that you can use to create a very good and stable environment for developers to collaborate and create a unique solution.

IDE Scan is the most important feature, and then you have SCA and Platform Scan.

I like the fact that it can be used at any stage of application development. I use scanning with a particular piece of code. There is an extension that helps me to create my code easily in Visual Studio and then find flaws before deploying the code. It's definitely benefiting me and the organization. It's so quick and easy to create a code and then deploy it live.

It's easy to create reports. It works very well. It's straightforward, and it does not require a lot of time. It's a straightforward platform that you can use for performing scans or mitigating issues. It has a very good user interface. FAQs are also helpful in case you are not familiar with it. It's good and straightforward when you integrate it with machine learning platforms.

It's very expensive for a small organization.

I have been using it for a year and a half.

It's a very stable solution.

It's scalable enough. Veracode is being used in the engineering department. It's being only used in one department by two people. It's a developer tool for developing solutions faster, troubleshooting, and debugging.

Their support is good because there is an option to request a consultation. If you face any issue or any difficulty with the scans or mitigation, they can help you out. The support service for me is very costly, but you also have a well-organized FAQ and a very big community for asking questions and getting a solution. I'd rate their support a 10 out of 10.

Positive

I haven't used a different solution. This is the first solution I've used.

I was involved in its deployment. It took me one week to implement Veracode. The process was straightforward. If you are lost or have any issues, you can read the documentation.

I implemented it.

It's not so huge to provide a lot of return on investment, but it's helping us to have a stable solution. It's a secure platform, but in terms of the return on investment, it hasn't made a very good impact yet. We have only seen 10% to 15% ROI.

It has reduced the cost of DevSecOps for the organization because we can use one platform to develop, troubleshoot, and debug faster, so it has helped us a lot.

It's very expensive, especially when you are a very small organization. If you're using Veracode at an individual level, for example, you're a developer or you run agents, the pricing might not affect you, but if you're using it at a company level to troubleshoot security issues, the pricing is not quite favorable. It may affect ROI.

Veracode is good. It's for organizations that want to give their customers both security and privacy. It's good in case you want to dive deep into the code and get the flaws that could be dangerous to both the organization and the customers using an application. If you are looking to create a good application that is also secure, I'd recommend Veracode.

Overall, I'd rate Veracode a 9 out of 10.

We use Veracode for security scanning purposes, and our security services team has developed the logic. We create the pipeline and run the Veracode scan for particular microservices. My role is to run the Veracode pipeline and to see all the detailed reports. Once the scan is complete, I download the Veracode report and share it with developers.

We have multiple environments, and all entities use the solution. We have approximately 1000 users.

The best feature is definitely the detailed reports. It provides code-related queries in the order of high, medium, and low depending on what we need to do. Veracode is user-friendly as well.

It provides all the details to prevent vulnerable code from going into production. The Veracode scanning report shows where we need to create security and how to encrypt usernames, passwords, or other details. It's very helpful from an application security perspective.

With this solution, we have visibility into application status at every phase of development including static analysis, dynamic analysis, software composition analysis, and manual penetration test throughout our SDLC. It is helpful for our DevSecOps processes because we get all the details before going into production. We can then talk with the design team and developers to fix any issues before going live.

Veracode helped to improve our ability to fix flaws.

It also saved our developers' time by 50% to 60%. Before going live, we always integrate Veracode with our application's bill pipeline. Instead of resolving issues once it is live, we can fix them beforehand.

Searching for applications in Veracode is a little bit difficult. We have to minimize the length of an application's name to 47 characters. It would be good if this limit could be increased so that an application's name can be properly reflected in Veracode.

My organization has been using Veracode for four years, and I've been working with it for two years.

Veracode is a stable solution.

It is a scalable solution.

Veracode's technical support is good, and I'd rate them a nine on a scale from one to ten.

Positive

Overall, I'd give Veracode an eight out of ten.

We use it to scan our web applications before we publish them to see if there are any security vulnerabilities. We use it for static analysis and dynamic analysis.

Veracode has helped immensely with developer security training and in building developer security skills. Before we implemented it, we would find a lot more vulnerabilities in our applications. Now, with Veracode, the developers have started doing a lot more secure coding and they have much better coding practices.

It has also helped our organization to review code quicker, about 50 percent quicker, and to deploy more secure code.

And when it comes to the solution's ability to prevent vulnerable code from going into production, so far, I haven't seen any instances in which we've had false negatives. So it's pretty effective at that.

Among the most valuable features are the ability to 

• submit the software and get automated scan results from it
• collaborate with developers through the portal while looking at the code
• create compliance reports.

Otherwise, we would have to do working sessions with developers and pull together all the different findings and then probably manage it in a separate mechanism like Excel. And to have to go through source code manually would be quite time intensive and tedious.

The solution also provides you with some guidance as well as best practices around how vulnerabilities should be fixed. It points you in that direction and gives the developers educational cues.

In addition, the policy reporting for ensuring compliance with industry standards and regulations is pretty comprehensive, especially around PCI. If you do the static analysis, the dynamic analysis, and then a manual penetration test, it aggregates all of these results into one report. And then they create a PCI-specific report around it which helps to illustrate how the application adheres to different standards.

The solution also integrates with developer tools such as Visual Studio and Eclipse.

It's pretty efficient, but sometimes the static analysis is prone to a lot of false positives. But that's how it is with most static analysis tools. In some cases, they might have other mechanisms which would deal with a particular vulnerability, but it wouldn't be captured in the code. I would estimate the false positive rate at about 20 percent.

Upon review, the developers understand the solution. But when they get the initial list of findings, it can be a bit daunting to them if it's not managed appropriately.

Also, the static analysis can sometimes take a little while. The time that it takes to do a scan should be improved. There are times when we need a quick turnaround but it will take a little while. We might have something scanning and not get a result until the following day. It's not too critical, but it does increase the delay. Most of the time, when developers submit their code, because of the way that we use it, it's because in their minds they're ready to have that code deployed into production. But the security testing, especially with the feedback, introduces additional time into the project, especially if a security fix is needed.

I have been using Veracode for about two years.

There have been no issues with the stability. We haven't had any outages or any unavailability of the system, so far.

We have about 40 developers but we use this product per project rather than per developer. All our projects will pass through this product. At any given time we have about 10 to 12 projects going on. Outside of developers, it's just the five security team members who also use Veracode.

Any increase of usage will be based on the business and if there are more software projects. Whenever there are additional software projects, we will then increase our usage.

Their technical support is good, but we haven't really had to use it much, so far.

The initial setup was pretty straightforward but, depending on the type of applications or the types of code that you're using, the setup requirements may be a little different. It takes a little getting used to, based on the environment in which you're working.

For example, for Visual studio, it might have specific requirements that are needed to package an application for scanning, whereas an Angular application would have different requirements. For me, as a non-developer, the issue would be around understanding those different requirements for each development environment.

Our deployment didn't take long; it took a couple of days. There were three people involved in, including a developer, someone setting it up, and a code reviewer. By "setting it up" I mean putting in the applications, saying what the application does—providing the business rules of the application.

We didn't have a specific strategy for deploying it. The software is pretty straightforward, once you have the application bundles to be scanned. There's not a whole lot to do after the packaging.

Maintenance-wise, it doesn't take much because it's SaaS. We don't really do much on our end.

We did it in-house with Veracode. Working with Veracode for the deployment was pretty easy, pretty straightforward.

We've seen ROI in that we've cut down on the number of penetration tests we've been doing by about 50 percent, and also because of the stage at which the vulnerabilities are found, before they get into production. That means the risk has also been reduced.

It has reduced the cost of application security for our organization, but more than it has reduced the cost, it provides better software assurance.

In addition to the standard licensing fees there's a support cost and an implementation cost at the beginning.

This year I looked at other vendors in the market, including Synopsys, Contrast, and Checkmarx. What I didn't like about them is that their licensing models are based on how many developers you have. That wasn't a good fit for me. In addition, Checkmarx didn't have a SaaS solution.

If you are doing pipeline-based implementation, it would be more complex than the way that I'm doing this, but I didn't see any real challenges that would be tool-specific or vendor-specific, with implementation.

Your development model will really determine what the best fit is for you in terms of licensing, because of the project-based licensing. If you do a few projects, that's more attractive. If you have a large number of developers, that would also make the product a little more attractive. But if you have maybe one or two developers doing many projects, then you might look more towards software that has a developer-centric model.

We don't use the Static Analysis Pipeline Scan because of the build process that our  developers use. They don't really have an automated build pipeline in which they push the code to production. Also, with the false positive rate, it's a bit tricky when you implement that into the pipeline, as it might stop a developer from pushing code out to test. We use it more like a gate. The developers submit the code to us and then we scan it and review it with them.

The biggest lesson I've learned from using Veracode is that you need to manage it with the developers, so that you speak through the findings with them. It's not just a tool that you throw down their throats.

Overall, I would rate it at seven out of 10. Ideally, I would prefer a product that had the interactive testing, as well as the ability to scan a little faster.

It is a broad and integrated platform. It provides multiple test scenarios and has the ability to do CI/CD pipeline integration. It is used for application security and vulnerability assessment.

Veracode provides guidance to develop secure software. It is one of the valuable features.

On-premise implementation is not available.

I have been using the solution for ten years.

It is stable.

The tool is scalable.

The technical support is good.

Neutral

The product is deployed on the cloud. We have a multi-cloud environment.

The solution is expensive.

Veracode’s policy reporting for ensuring compliance with industry standards and regulations is good. The product's false-positive rate is low. If the tool is used effectively, vulnerable codes do not go into protection.

The SBOM feature helps identify risks in all third-party software. It is quite easy to create a report using the SBOM feature. It is an important feature. The solution provides visibility into application status at every phase of development. We have not integrated it.

Veracode has a good effect on our organization’s ability to fix flaws. Veracode has helped our developers save time. Veracode has a good impact on our organization’s overall security posture. The solution is probably not worth the money. The developers are more confident while fixing vulnerabilities due to the solution’s low false-positive rate.

Overall, I rate the tool a six out of ten.

We use Veracode for static code analysis scans for our clients.

Veracode is deployed both on the cloud and on-premises.

Veracode helps prevent vulnerable code from being deployed into production by identifying problematic code. It enables us to send a report to the application developer, allowing them to address the vulnerabilities based on their criticality level. The developers are given six months to address medium-level issues and three months for critical ones. If the criteria are not mapped with the higher critical alerts present in those applications, we can enforce the build field and proceed without deploying it into production.

Veracode has helped improve our customers' organizations through the scanning taskbar, which identifies vulnerabilities in code. We have worked with ten clients, all of whom used Veracode to identify vulnerable code early in the development stage and resolve the issues. Additionally, Veracode offers Greenlight ID, which developers can integrate into their development process, providing clarity during the development phase. Veracode can also generate reports that developers can resolve, facilitating the quick resolution of security concerns.

The policy reporting for ensuring compliance with industry standards is excellent. The report helps us maintain our compliance.

It offers visibility into the application's status at every phase of development, including static analysis, dynamic analysis, composition analysis, and manual penetration testing throughout the Software Development Life Cycle.

Visibility aids the DevSecOps process by offering a clear framework for all involved departments, including the steps for handling severities.

Veracode assists our clients in addressing flaws by simplifying the process. The security team can review the code, approve or reject it, and developers can utilize the reports to promptly rectify the flaws.

It assists developers in saving approximately 20 percent of their time, primarily in the static part, as they no longer need to review all the code. Regarding the dynamic part, Veracode scans all the URLs, eliminating the necessity for developers to use additional tools. For third-party dependencies, developers depend on the reports and the Greenlight ID plug-in to streamline their workflow and save time.

Our clients depend on Veracode to improve their security stance.  

The CI/CD integration is the most valuable feature of Veracode. This feature is not present in other solutions.

The analytics dashboard is not user-friendly and can be improved to assist us with the application size and enable modifications, whether for static or dynamic scans. This is currently missing in Veracode.

Veracode needs to improve its integration with other tools.

We have requested an enhancement for Veracode because it does not support scanning the static and dynamic elements of code created by MuleSoft. Furthermore, it does not support these aspects for the new generation of applications and we have to use other tools.

I have been using Veracode for over seven years.

If there is an issue, I am unable to access all the logs due to insufficient permissions, which causes delays.

Veracode is scalable. To increase the scale, we simply need to increase the number of licenses.

The technical support team's response time is inadequate. Typically, they fail to provide assistance beyond the initial call due to the limited knowledge and inability of the first-level support to resolve issues effectively. I have been dealing with a single issue for three weeks without any resolution.

Neutral

The vendor handles the deployment, and we simply need to install the ISM agents on our network. The deployment time depends on the size of the application. Large applications may take up to five days to scan, but on average, it takes one or two days.

The pricing depends on the functionality each client desires. For example, one of our clients only wishes to scan two applications, so they pay for that specific service in addition to our organization's third-party access to their system.

I give Veracode an eight out of ten.

20 to 30 percent of the false positive rates are vulnerabilities. Sometimes, almost 50 percent of the reports are false positives, which affects the time spent on tuning policies.

The false positives increase the amount of time our developers need to spend investigating the reports. 

Veracode offers static analysis, dynamic analysis, and composition analysis all in one place.

We are a team of five individuals who assist in deploying and managing Veracode, along with handling other tasks.

Our client base varies depending on their budgets, but we serve a large number of organizations in the financial industry.

I recommend Veracode. The solution is on par with the others, and organizations can read the reviews and run some tests before making a purchase.

We use the solution to scan for and identify vulnerabilities or security issues.

We use a SaaS deployment.

Before releases, we must ensure that all the security issues identified by Veracode are addressed. Occasionally, some false positives may be encountered, but these can be safely ignored. We are usually satisfied with the accuracy of the report as all the important security issues are identified and addressed allowing us to focus on our release sooner.

All the applications that are going to production in our large company are required to pass through Veracode, which provides us with a uniform standard that everyone must adhere to. This standard allows us to ensure the quality of our products before they go to market.

Veracode may not seem to immediately save our developers time, and it may even seem tedious at times. Ultimately, however, it can be extremely useful in identifying issues and vulnerabilities before they become larger problems, making it a valuable resource.

Veracode helped our security posture by checking security gaps in the production environment.

The most valuable feature is the static scan that checks for security issues. We use Veracode for this purpose; we also use the solution for our UI, but for the backend, we only use the static scan. I'm not sure what it is called, but it is one of two scans, the other one being dynamic. We only use the static scan to identify any security issues.

Veracode assists in the prevention of vulnerable code from reaching production by providing a comprehensive review of security risks and comprehensive reports with thorough descriptions of the vulnerabilities. This allows us to address any security gaps in the release. Based on the severity, we should determine the standards for release. We should not have any security issues with a severity of medium or higher before releasing.

Veracode provides us with ultimate visibility concerning security issues. Additionally, we use OWASP, which checks our dependencies to identify any potential weaknesses, but Veracode is the only tool we use to check our source code. With Veracode, we have the capability to recognize any security issues in our source code.

The false positives have room for improvement. Sometimes, we will get false positives, which we mark as mitigated. However, it can be annoying when they come up again in the next release. Every time a new person is doing the work, they may not be aware of the history of the issue. They must then check the false positive again and mark it as mitigated, and it may come up again in the future. False positives can be an irritating and time-consuming issue for developers to deal with. Investigating them can be a waste of time, as they have already been looked into. This can be frustrating for those involved. False positives waste our time and resources.

The zip file scanning has room for improvement. Sometimes when we upload the zip files for scanning, it can take a long time to get the report. This can take up to a day. Unfortunately, even after waiting a day, sometimes we find that nothing happened and we have to start the process over. This is both time-consuming and frustrating, as we feel the system has crashed.

The reports have room for improvement. I believe the reports are thorough but can become overwhelming with unnecessary information that may not be pertinent to the developer. I'd prefer to have customizable reports that allow us to select which elements we'd like to include.

I believe the usability of the UI needs to be improved. For example, when we navigate away from a page, it should remember our last location and take us back there instead of sending us to the homepage. Additionally, it should be easier to navigate between pages without having to refresh the page each time.

Veracode should provide potential customers with better training materials and resources to help them make a more informed decision before purchasing the product. This could include tutorials, demonstrations, more about how the product works, the user interface, the quality of Veracode's reports, and more. It is unclear if these resources are already available, but they should be made more visible if so.

I have been using the solution for over one year.

The report is usually ready without any problems, but occasionally there may be a crash or other issue occurring in the background that prevents it from being ready. This happens about 10% of the time. The solution is primarily stable.

I haven't experienced any scalability issues so far. This is likely because the job is always the same and the files we upload remain the same. We haven't had to change any parameters in the input, so scalability hasn't been a concern.

We used CodeSonar to analyze various aspects of our source code, and we already utilize OWASP to assess the security risks of our dependencies.

I give the solution an eight out of ten.

One of the applications we supported through Veracode is designed for use by travelers of an airline. The application handles everything from searching for availability to obtaining tickets.

The solution does not require any maintenance. I am logging into my organization's portal, from which I have a direct link to access Veracode. I do not need to do anything else, such as create content or install anything.

We have found the static analysis to be useful in Veracode Static Analysis. However, we are in the process of testing.

Veracode Static Analysis could improve the terminology. For example, I do not know what the sandbox scan does. The terminology and the way they have used it are quite confusing. They should have a process of capturing problems that users are having on their end.

Veracode Static Analysis should adapt and detect the vulnerability which is coming from customers.

I have been using Veracode Static Analysis for one and a half years.

Veracode Static Analysis is a scalable solution.

We have approximately 10 people using this solution in my organization. However, we do not use it daily.

We previously used a free tool that is integrated into the Eclipse.

The initial setup of Veracode Static Analysis is in the middle range of difficulty. We had some minor issues but we had some guidance and support. It took us approximately one month to scan all of the microservices.

Our IT team did the implementation with support from the Veracode team. The Veracode team was very good.

The price of Veracode Static Analysis is on the higher side.

My advice to others would be to follow the instructions and they will not have any issues.

I rate Veracode Static Analysis a seven out of ten.