Veracode Reviews

Application security management.

We've been able to provide reports to our clients that show applications are either flaw-free, or in the process of being remediated, and give them timely status updates on how those flaw remediations are going on.

Our customers have benefited by being able to have a little bit more assurance from us, from a trusted authority, that our code is properly flaw-free and remediated.

The most important features, I would say, are the scanning abilities and the remediation abilities within the product. Scanning because, obviously, we want to make sure that our application code is flaw-free. And the remediation tools are helpful to the developers to help them track and manage their flaws.

We have been able to integrate Veracode through many of the IDEs that our developers use, using the Veracode APIs, or they've been actually been doing this manually as part of their SDLC.

Reporting. Some of the reporting features of Veracode do need improvement. They do not have the most robust access to data. That would be a bit more beneficial to a lot of our clients as well as our actual in-house staff. I've been talking to our program management at Veracode about that, and that is actually on their radar to have that improved, I think actually this year.

That would probably be the biggest area, access to more granular data that we could pull and use on a regular basis. Better dashboards. That kind of information.

It's stable, absolutely. They do regular maintenance schedules. Aside from that, I can't really think of a time where it has not been a stable product or unavailable. 

No issues with scalability.

We engage their support teams quite often actually. Part of our licensing package is a good number of hours per month for our development teams to work with their support teams at Veracode, to help solve remediation issues, troubleshoot some of the flaws that they encounter or can't understand. Their support teams have been able to work with our development teams very well.

We were not using a previous vendor prior to this. We've used other vendors like Nessus for pen testing. We still use those. Veracode was just more of an addition.

The setup has been more of a phase-in approach, and it's been gradual. It's been kind of a "trial-by-fire" setup with a lot of our development teams because most of our development teams aren't used to doing this. So, it's been a trial, I guess more so on our side, to get the adoption going on. It's just part of training our team to actually know there's something they need to do on a regular basis.

Regarding any cost savings relating to code fixes since we implemented Veracode in our development process, I can't say I have that information off the top of my head.

Just do your research. Make sure you're getting the best price on this. It can be expensive to do this, so I would just make sure that you're getting the proper number of licenses. Do your analysis. Make sure you know exactly what it is you need, going in. Then just see if it can work. Try and make sure you get the best price possible.

I was not part of the evaluation team on this, unfortunately. But I believe the other options were evaluated as well, but I don't have access to that information.

In terms of Veracode providing AppSec (application security best practices) and guidance to our teams, they've been able to adapt their scanning and remediation in their SDLC, which is something we did not have really before. It's been a little bit of "not the best honeymoon" so far, doing this with our developers, but they've started coming along here in the past year and a half.

The advice I'd give is look around, make sure it's the right fit for you. Make sure that the tools they offer are a good fit for your organization. And make sure this is something that you really feel would be good for your company. If you aren't currently doing this kind of analysis on your code, I would take a strong look at whether this is something that you really should be doing. It's a different world out there right now.

I would recommend Veracode very highly, especially since the program management staff that I work with from Veracode are some of the best people that I've worked with in this industry.

Software security, static code scanning.

It has performed very well.

The benefits are quick discovery and understanding of software vulnerabilities that we are putting in our own code. By discovering them quickly enough, we can triage them and determine the best ways to remediate them and prevent them from happening in the future.

It helps us gain confidence that the applications we're putting out in the hands of millions and millions of people have that industrial-strength quality to them; that we don't need to worry about as much as we used to. 

• Completeness, comprehensiveness
• speed
• ease of use

We have such a wide variety of users for Veracode, including security champions, development leads, developers themselves, that the ease of use is really quite important, because we don't assume anything about what those people might already know, or need to know. It just makes it very useful for anyone who has to engage with it.

I'd like to see an improved component of it work in a DevOps world, where the scanning speed does not impede progress along the AppSec pipeline.

Three to five years.

Stability has been great. I've never seen any downtime, in four years.

We went from 50 applications in 2015, we're now up to over 400. There seems to be no limit on how quickly it can scale and operate.

They're outstanding. Best in class. Absolutely. They bend over backwards to help us. We'll come up with questions and within minutes, we'll get answers. It's amazing. It's truly amazing.

It was very straightforward. Veracode was very helpful, hand-holding - anything that we needed - they were right there and made it very simple.

We had been evaluating various different types of source-code scanners. It was a fundamental element of the program and we knew we had to have the best one that would meet a wide variety of applications: development, apps, as well as a wide variety of geographic dispersion of the people writing these apps. 

We had IBM, we had Fortify, we had PMD, and there was one other scanner at the time that we were evaluating. Veracode came out on top, in almost every category.

By using a cloud-based scanner, we really had no issues with where the developers are geographically located. So we didn't really have setup problems at all. It just kind of happened, and scales fairly naturally, organically.

The most important criteria when selecting a vendor are

• reliability
• customer service.

Take advantage of all of the help that Veracode provides, for implementation, operations, and maintenance, because they absolutely know what they're doing.

We are developers who utilize Veracode for the static and dynamic scanning of our applications.

Veracode provides both us and our customers with confidence that our applications do not have any issues by helping to prevent any vulnerable code from being deployed in production.

Veracode has helped us improve the way we conduct static and dynamic code testing in our organization. Based on the reports we receive, we can quickly identify what needs to be fixed immediately after the scan. For minor issues, we are given time to address them after moving into production, but for major issues, the application is unable to enter the production phase.

We utilize Veracode for static and dynamic code scanning in our software configuration and lifecycle management. It is integrated as part of our pipeline, allowing the code to be automatically scanned in the background. This enables us to review the reports promptly.

The information provided by Veracode enables us to easily rectify vulnerabilities in the workflow.

Veracode can help our developers save time, depending on the issue and the age of the application.

Veracode saves time by automating the basic tasks that were previously performed manually.

Veracode has had a positive impact on our security stance and has empowered our customers to confidently migrate their applications to the cloud.

The static scan and the detailed reports, which include issue information and permissions, are the most valuable features.

Veracode does not support scans for .NET Blazor server applications. We encounter errors whenever attempting a scan. I would appreciate it if Veracode could incorporate support for these applications.

I would like Veracode to offer code support for the latest releases of .NET whenever they are released by Microsoft.

I have been using Veracode for over one year.

Veracode is stable.

The technical support is helpful, but they operate on their own schedule, so in certain instances, we have to endure a considerable wait for a resolution.

Neutral

I give Veracode an eight out of ten.

Our customer provides us with a Veracode profile account for uploading and testing code. We do not manage the solution or have any insight into how it is deployed.

I highly recommend Veracode for assisting in identifying vulnerabilities in code.

I have learned that Veracode can confidently scan and detect vulnerabilities in code. However, for older or unsupported applications, we need to seek an alternative solution.

We use this solution for Digital Health.

This solution has helped us in developing a secured product.

Veracode is fantastic! All of the features are valuable.

My experience with Veracode across the board every time, in all products, the technology, the product, the service, and the salespeople are fabulous. They are engaging.

I would suggest charging the developer for training, as it's not very expensive.

Only charge for developer training because it's a service you give now and they may need to be technical support. 

It costs them money to do that, but with the technology, an incremental user is negligible incremental costs, which doesn't really cost them. That's software economics.

I would like to see them only charge for developer training for the qualified startups and start charging for the licensing once the product goes into production, and available.

I have several years of experience working with Veracode.

When we used this solution a year ago, we used the most current version.

It's a stable solution. I would rate stability a ten out of ten.

It's a scalable product. My rating out of ten would be a ten, scalability-wise.

We have a software development manager and three other people who are using it.

Technical support is phenomenal. They are fabulous and very responsive, it's amazing.

Previously, I did not use another solution. Because I knew Veracode for many years, my approach with the company was that it was a startup and we need to do it securely. This is s why we went with Veracode.

The initial setup was straightforward. It was extremely easy and took only a few hours to deploy.

We have a team in-house to implement this solution.

The pricing for qualified startups such as Neo4j could be improved.

It allows startups to develop a secure product, but it takes time for startups to get money for the products. 

Veracode could provide the services, at a significantly lower price during that period with a condition that the moment that it becomes production, Veracode has to be paid.

If they would change that, it would be phenomenal for the entire industry and for them.

Licensing cost is on a yearly basis and there are no additional costs, the pricing is straightforward.

At the time that we used this solution, we were a startup, the software may not have been that complex. It's not like Oracle.

My advice to others who are interested in using this solution is to pay attention to the full instructions.

I would rate Veracode Developer Training a ten out of ten.

We focus on these two use cases: 

1. Our first use case is for Static Analysis (SAST). The purpose of it is to scan our code for any vulnerabilities and security breaches. Then, we get some other reports from the tool, pointing us to the problematic line of code, showing us what is the vulnerability, and giving us suggestions on how to fix or mitigate them.
2. The second use case is for the Software Composition Analysis (SCA) tool, which is scanning our open sources and third-party libraries that we consumed. They scan and check on the internal database (or whatever depository tool it is using), then they return back a report saying our open sources, the versions, and what are the exposures of using those versions. For any vulnerability, it suggests the minimum upgrades to do in order to move to another more secure version.

Veracode provides guidance for fixing vulnerabilities. It enables developers to write secure code from the start by pointing them to the problematic line of code, and saying, "This function/method has security vulnerabilities," then suggests alternatives to fix it. Then, we adopt their suggestions of the tool. By implementing it in the right way, we can fix the issue. For example, if the tool has found a method where it copied one piece of memory into another piece of memory in the code. The tool points to problematic methods with the vulnerability and provides ways to code it more securely.  By adopting their suggestions, we are fixing this vulnerability.

Once you run the tool and realize that it is not secure to use a certain method or function, then you fix it. Next time that you want to add new code, you don't want to repeat that mistake. So, you're already adopting the original suggestion, then writing more security code.

If we continued to scan and fix issues, which is an ongoing battle because every day as there are new vulnerabilities, we are on the safe side.

It is faster to adopt and use because it's a SaaS software. As a service tool, we didn't have to deal with any installation emails. We also didn't have to download packages, upgrade, or maintain their on-prem machine, which is usually the case for on-prem solutions. This is a critical point that we needed to consider when adopting the right tool. So, SaaS was a deal breaker for us. 

I don't have any complaints about the policy reporting for ensuring compliance with industry standards and regulations. It is good and a mandatory part of our process.

We tried to create an automatic scanning process for Veracode and integrate it into our billing process, but it was easier to adopt it to repositories based on GIT. Until now, our source control repository was Azure DevOps Server (Microsoft TFS) to managing our resources. This was not something that they supported. It took us some sessions together before we successfully implemented it.

About six months.

The technical support was good. Even with the time zones changes, they took the examples that we provided about how our call works and investigated them. When they didn't get an answer initially, they contacted someone else to assist. Overall, our experience was good.

The turnaround time and response times are good. We always got a response, even if they said, "It will take a while, as we are still investigating." One day after always, we always got a response, even if it was, "We need time to investigate." 

I would differentiate between the initial response time for our needs and the resolution time for the issue. The representative themselves respond pretty quickly to our needs. We exchange phone calls with them or email, and they responded quickly. Some of the issues that we experienced were due to our specific code languages and packages that didn't work smoothly with the tool. For those, the representative had to approach the Veracode R&D team. It took more time to involve R&D, but we eventually got a resolution from them after a few days.

To get into the solution, it took some tries to understand the structure of our repository and the code that we were using to write dependencies, etc. So, it took a bit of time, but then in the end, the solution was easy to connect.

It took about a month until we completed integration of Veracode tools into our own systems. Eventually, the tools needs to scan our code that resides on our machines in our on-prem environment. The integration of Veracode on the cloud with the on-prem repository and our processes took time. We worked with the Israeli representative of Veracode to help us. However, it was about a month overall until we stabilize it.

An Israeli sales representative for Veracode came to our office and worked very closely with us. They escorted us through the process of doing the PoC, examining the results and tools, and how to use them. We found it straightforward. There were some hiccups and some problems in the beginning, but not something significant in the general overview. It was easy and fast to adopt.

Our customers demand that we provide secure software. Veracode is giving us the mandate of claiming that our code is more secure because we are using an external third-party, neutral tool to examine our code and expose vulnerabilities. By fixing them, Veracode takes some of the responsibility, which is kind of a diploma that we can wave when we are negotiating with our customers.

We compared it with other tools as part of our proof of concept to adopt the right tool. Eventually, we selected Veracode because the tool provided us the easiest, fastest solution for our two use cases.

When we did the PoC to compare it with other tools, before we decided to adopt Veracode, one of the benefits that we saw is its reports are more focused on real issues. Other scanning tools that we tried, they produced much bigger reports with hundreds of vulnerabilities. That is too many vulnerabilities, so you cannot manage them nor decide where to focus. Using Veracode helps us focus where we need to.

We have used a Checkmarx tool, which is a competitor of Veracode. We have also examined Micro Focus Fortify and some other monitoring tools, which gave us a partial solution, had only static code analysis, or had only the open sources for composition part. We wanted one tool which does everything; we found Veracode all-encompassing.

The solution is efficient when creating secure software. Though, it depends on how you adopt the tool and how frequently you're running it. As long as you keep it as part of your routine and frequently run the tool, you will catch vulnerabilities closer to real-time. Eventually, you will improve the security of your software.

We haven't seen a lot of false positives. However, the tool points us to vulnerabilities to fix, which because of our behavior or software, we don't necessarily need to fix because we have other protections.

We are not using it for cloud software. Our solution is only on-prem.

I would rate this solution as an eight out of 10.

We use Veracode for its code analysis features, which include static code analysis, dynamic code analysis, and checking for security flaws in our code. Mainly, we utilize Veracode for application security, making code security one of our primary use cases.

Since implementing Veracode, we have seen significant improvements in our code's security and the overall code development process. Veracode has been instrumental in enhancing our code security and streamlining the development workflow. In the past, we relied heavily on third-party applications that were not directly aligned with our codebase. However, now we can seamlessly integrate Veracode into our application process, saving a substantial amount of time. Veracode has not only improved our security setup but also enhanced the overall security of our organization.

Before implementing Veracode, the same process that used to take one hour now only takes 15 to 20 minutes.

Veracode's policy reporting for insurance compliance with industry standards and regulations is good. We can integrate numerous reports, and the positive reporting feature is also highly commendable.

Veracode provides visibility into the application's status at every phase of development.

Veracode works very well overall, and our security has been greatly improved, significantly impacting our ability to fix flaws.

The security process has been improved. Before using Veracode, we used to perform it manually. However, at that time, there was no application that could be integrated with the code. Now, with Veracode, we can directly integrate it with our code. As a result, security checks are being done automatically, saving us 30 to 40 percent of our time.

Veracode offers various security features. Veracode performs the analysis using three different methods: static analysis, dynamic analysis, and software composition analysis. These security features are the best, and the most valuable features.

Veracode's ability to prevent vulnerable code from going into production is commendable. However, we have encountered numerous cases of false positives that need improvement.

The technical support service has room for improvement. There are times when we rely on them, but we are not receiving an adequate response.

The stability has room for improvement.

I have been using Veracode for one and a half years.

Veracode is stable, but there is room for improvement.

Veracode is highly scalable. We have not had any issues with scalability. 

Before I joined my organization, they used a third-party application to check code. Since I joined, we have been using Veracode.

The initial setup was somewhat complex. The deployment took a couple of weeks because we needed to resolve numerous technical issues that we had to understand first. We had six people involved in the deployment.

Veracode's price is reasonable.

I would rate Veracode an eight out of ten. I recommend Veracode to others.

Veracode's false positives significantly impact our developers. When we encounter numerous false positive cases, we are required to conduct extensive reviews. How much it affects our developers depends on the number of false positive cases we are encountering and the significance of addressing them concerning the criticality of writing the code.

Veracode can save time in our DevSecOps process, but it may not significantly reduce costs.

Organizations that have security flaws in their code and seek to enhance their core security can consider Veracode as one of the best options for investment. Veracode is easy to implement and can effectively address the flaws in the code, provided that cost is not a significant concern.

Maintenance is required from time to time, specifically regarding false positives. We need to verify whether the system is functioning properly and communicate with the support team. The intervals for these checks occur after approximately 30 or 60 days, which we have selected, and we must strive to improve the system during these instances.

Veracode is deployed at two locations within our organization.

I'm a security practitioner and I use it for security and vulnerability scanning and assessments.

The main purpose of getting Veracode was to serve as a solution for scanning lines of code which was lacking in the organization. It has improved the quality of code being delivered for test and its vulnerability resolutions timeline has improved.

The static scan module is the most valuable. 

In the next release, I would like a proper way of packaging files for scanning and the packing of IOS apps and API Dynamic scan methodology. 

Also, there seem to be lots of false positives. This can be improved upon. 

I've been using Veracode for about six months.

The solution is stable.

It is scalable.

The technical support has been quite helpful. I had a consultation yesterday and it was straightforward and explanatory. They seem to be okay. The customer rep helped resolve the issues observed. Although there were issues encountered which were not answered, I was referred to the support option on Veracode. 

Positive

I've used quite a few other solutions including SonarQube which is similar to Veracode. The challenge with SonarQube was financial, it charges per line of code while Veracode charges per application.

Initially, the setup was complex for those who had not done solution integration. However, my team was able to pick up after the refresher course. 

We implemented the solution in-house.

We've just concluded the onboarding this year. I can see improvement, but I can't really equate it to a monetary value. This will be determined by the financial team. 

My advice to anyone considering Veracode will be to negotiate with the team directly and define what constitutes an additional application.  

We evaluated other options.

The process of packaging scannable modules is not straightforward. 

We use both the static and the dynamic scanning. What we do is run the code through the scanner once we make any modifications. And periodically, we also run the dynamic to connect several applications. We use Veracode to check for specific vulnerabilities such as cross-site scripting. When we are checking for those vulnerabilities, we take a portion of code that is going to be generated and we run the scanner.

We work a lot with open sources. Using the Static Analysis, the Dynamic Analysis, and the scan module, we can control everything we do via Veracode. Moreover, because all our applications are security applications, keeping a high security standard is really important.

The visibility into application status across all testing types in a single dashboard is helpful because, even if you are running different types of scans, you have everything in one place. You have a unique dashboard to control all the applications, and that is good.

Overall, we've never had any problem with vulnerable code going into production. It's quite a solid tool. We have a really good feeling with this solution.

The most valuable feature is actually the support provided by Veracode. Once you start to use the platform, you can mount the IDE plugin for your script. The advantage is that you can run the scan and check what the problem is and you can fix it yourself. Support could be used to address something that could go beyond your skills. If you use Veracode Greenlight, you have a small pop-up that you can use to interact directly with the team and you can ask a consultant to advise how an issue can be fixed. One of the good things about the Greenlight plugin is that it is very simple. There are several guides that tell you how to install it. It's a matter of one or two minutes and you are ready to go.

Once you check something, they provide links, not manually, it's all automated. When you want to check into a vulnerability you click and open the website where there is a description. If this is not enough of an answer, you can ask directly by scheduling an appointment with a Veracode guy.

Another feature of Veracode is that they provide e-learning, but the e-learning is not basic, rather it is quite advanced. They don't teach you how to develop in Java, Python, PHP or C#, but they instruct you about the best practices that should be adopted for secure code developing and how to prevent improper management of some component of the code that could lead to a vulnerability. The e-learning that Veracode provides is an extremely good tool. And as far as I know, there are no other competitors that offer it.

The best stuff is the training: this enables your team to adopt the same programming approach, although these people have a different background or joined the projects in a different phase. Doing that, they can take the training and be aligned so that they all write code in a good way.

We also use the Static Analysis Pipeline Scan and it's quite good. They provide several of the most common templates for pipelines. You see the process, while you program, right up until you package an application, and that the platform is able to detect things that are a blocking point. Before deploying to the production, you already know what is doing. And the speed of the Pipeline Scan is quite good.

Another good feature is the policy reporting for ensuring compliance with industry standards and regulations. We test compliance for medical devices, for GDPR, and for payment methods. These are all good. If you are not correctly prepared on one of these sets of regulations, you know that Veracode is going to take care of it using pre-prepared templates. But we can also customize our own policy if we are facing a unique use case. Even if it's not really common, we can take a regulation and build it the way we want it to look.

In addition, you can check everything from the dashboard. Veracode provides a web portal that is connected with your account and through that you can check the status of all the deployments that were run. And suppose you also have an application that is quite complex. You can deploy and upload it through the portal. When it is ready, you receive a notification from the portal that the job has been done and that you can check the results. When you go to the dashboard, you have the OWASP vulnerabilities. There is a really simple graphic with the colors showing how many vulnerabilities have been found and how much these vulnerabilities are repeated in your code. It also tells you the potential effect, if it is a backdoor data breach, for example, etc. It also suggests what you can do to remediate. It might suggest modifying code or changing the status of some part of the development, or updating a third-party.

And if you have people on different projects, there is also a role management feature, so you can select, for example, that people who are working on a given project can only see that project. If you are running something with different levels of classifications, for example, if you have an external consultant, it does not affect the confidentiality of the system. When people are collaborating, not all people are at the same level of an NDA. It is good that each person can see only their part implementing Need-To-Know.

It also integrates with developer tools. We use IntelliJ and Eclipse, among others.

They should invest in mobile security.

I have been using Veracode since 2017.

We have never faced a problem or any downtime.

We haven't perceived any issue when it comes to scalability. But it's true that if you have more tenants, the response of the scanners is going to get released quicker.

I would rate Veracode's technical support at nine out of 10. They would probably deserve a 10 but it is not as quick as it should be. They need to increase the support workforce. The support people are well-prepared, but it can sometimes take one or two days to get the right guy to do support.

The previous solution that we were working with was mainly focused on the quality of the coding. We are happy with Veracode because it's focused on security.

The initial setup is very simple. The Veracode guy who accompanied us made it appear really straightforward.

It's a SaaS solution so once it's prepared on the Veracode side, to deploy onsite may take up to a couple of hours to get everything prepared, mainly due to the configuration, for a simple implementation. Overall, setting up the product is quite straightforward. 

In terms of managing the code, it's quite simple for us because we are all technical guys. Once we saw it working, it was really easy to manage. We have three people who use the solution and they are all developers.

The Veracode team is replying fast and the proved a strong expertise in every challenge.

We could save some money having an on-premise solution, but the fact that this is a SaaS means we can be sure that it's updated. It's outsourced. In terms of cost, I don't see a big advantage, but in terms of operations there is because we don't have to take care of it. We know that if, somewhere else in the world, somebody detects a vulnerability, a few minutes later we will already have a patch. This is extremely important for us. Nobody in our company has to touch anything to get this.

If we had to designate one or two people to take care of maintenance of an application, at some moment one of them might not be updating things. With Veracode, we know that we don't have to worry. We just have to focus on our development. We don't consider maintenance at all because it's all managed.

The pricing is quite standard. It's not cheaper, it's not more expensive.

We looked at other vendors but we selected Veracode because it had a top rating in industry reviews. For us, that was like a warranty.

We were skeptical about running scans with a cloud-based solution, but then we saw the benefits. Everything is up to date without us having to lift a finger. We know we don't have to take care of maintenance. 

Also, if you work in the domain of medical devices, payment methods, or other things that are related to privacy, Veracode provides all these modules. This is a big advantage.

Sometimes the scans are not done quickly, but the solutions that it provides are really good. The quality is high, but the analysis is not done extremely quickly.

False positives are not a main problem. The platform does try to overprotect but, of course, a system like this can only understand the syntax and not the semantics. So it's overprotective when there is a doubt. Sometimes, we ignore some of the advice received.