Veracode Reviews

I worked as a security tester for a service-based Indian IT company. I had the admin right on the application where I used to provide access to other developers so they could execute unit-level tests directly from their console. There are many types of security testing activities, such as false positive analysis or looking into the code from a secure point of view, getting the mitigations done, and then retesting the applications.

We initially had more than 15,000 vulnerabilities. Veracode helped us to regulate all the teams. I gave the consult level access and a basic level of access to developers. My manager and I trained the developers in secure coding practices.

DevSecOps is a process that helps improve security in software development. From a DevSec perspective, it is a great way to improve security in software development. However, from a DAST perspective, it is not as good because the results cannot be easily integrated into the CI/CD pipeline. Integration with Jenkins is seamless. It didn't make much of a difference for us, but it could be different for other applications of the latest technology. Veracode has the feature of issue creation in the Jira portal itself. For example, if we're scanning an application and Veracode reports 15 issues after the security scan is complete, the solution will automatically create Jira tasks related to security, which can be assigned to the appropriate developers. Veracode is good from that perspective, but it needs more evolution. The solution needs moderation because if by some chance a big module or issue pops up, we could get 10,000 issues. That would be a real complication from the Jira point of view.

When it comes to false positives, I used Veracode for two-and-a-half years and it has been fine and fair.

When our developers find a false positive it doesn't make much of a difference. They are just happy knowing what is wrong and right. Developers know how to code, but they don't know secure coding. We are generally there to guide them and most of the time, I used to do the false positive analysis by myself and not leave it to the developers. The developers would get a refined and concrete number of vulnerabilities to quickly work on. In some cases, the developers also find issues that we missed because we have to work on multiple applications at once.

I don't believe there's any cost related to the machine-learning side of Veracode, but it takes a lot of time because SaaS issues are those that couldn't be resolved by a junior or intermediate-level developer generally. Most of the time, these issues are resolved by people with five-plus years of experience because there are security issues. To understand the security complications, we need to have some knowledge of the architecture and design levels of the application. If we don't have design-level information, it's difficult to correct. Without a senior-level developer to guide us, it can cost us a lot. The senior resources getting deployed could be used elsewhere for more development activities. However, the mitigation is provided by Veracode and the detailed report is very good.

Veracode has helped fix flaws affecting our organization by making the applications a lot more secure.

We use a code review-based tool, so the unique aspect of Veracode is that it is really good for legacy or old technologies. It can scan old databases and old code written 20 years back.

Depending on the technology we are working with, the solution's ability to prevent vulnerable code from going into production whether it is Java-based code or ASP.net, the efficient number of identification codes is the best in the market for legacy technologies. I would use Fortify or Checkmarx to test accordingly using the latest code.

The best feature I like about Veracode is the ability to give low-level access to accounts. The identity access management system is really good and we can even integrate it with the ID. For example, if we're coding in Eclipse or something similar we can push the code from the ID directly into Veracode's backend to have its security tested. It is cloud-hosted and the downtime is very minimal. We could check the results anywhere, anytime. This makes the platform's independence very good. 

The solution provides visibility into application status at every phase of development. We can see and make adjustments accordingly at each level.

Veracode is a great solution for old applications. I would only recommend Veracode for older applications.

One of the most important areas that need improvement for Veracode is its DAST. Veracode's DAST engines are primitive. They need to work on that. It needs to be their number one priority.

The number of vulnerabilities and quality of the latest technology when compared to other scan engines such as Fortify and Checkmarx is not as good.

Veracode has multiple sides when it comes to dynamic testing. They offer software composition analysis, dynamic scans, and static scans. However, I would not recommend Veracode for dynamic testing because it wasn't able to scan many of our applications properly. Some of the other solutions were really efficient and proactively reported a lot of vulnerabilities. The Veracode scanner was not able to properly scan the applications because of authentication issues and login issues. HP Web Inspect and Microfocus Web Inspect allow us to make scripts by ourselves, which will then enable the scanner to scan the website in a more proper and systematic way. There were a lot of complications with Veracode's dynamic point of view, and a negligible amount of vulnerabilities were reported. On the other hand, when I tried Next Parker or Micro Focus Web Inspect, things were really good.

If we have to scan the latest code, for example, if we have written a piece of code in Angular or Node.js, we can't consider the solution because it is not as good as other solutions using newer code.

I have been using Veracode for two and a half years.

Veracode is stable, but every now and then something breaks. From a stability standpoint, I would give the solution a seven out of ten.

Veracode is scalable. I give the scalability a ten out of ten.

The technical support is really slow. Their availability is sparse. It sometimes takes two months to have a resolution.

Negative

I started my career with Veracode, a DAST review tool. I worked there for two-and-a-half years.

The solution is not deployed on our systems. It is cloud-based and only requires logging on.

The requirements for the code determine whether Veracode is the best option or not. If the code is 15 to 20 years old, and it is very important, then Veracode is the best option. If the code is very new, then I wouldn't want to spend any money on the solution. It all depends on the requirements.

There is a fee to scale up the solution, which I consider expensive.

We did POCs and collaborated with Fortify, Veracode, and Checkmarx to see who gives the best results for all the applications. Veracode gave the best results, so we chose them for our organization.

I give the solution a six out of ten.

Veracode has not directly helped our developers save time. There was no interaction between the Veracode team and us, so it was minimal whenever some issues such as false positives are reported by the solution. There were some issues with the Veracode engines a few times that required customer support to resolve.

I used to go to Veracode's website and log in. It was updated automatically, and I could access it from multiple devices. I'm not sure which cloud they were using, but it was managed by Veracode.

We have around 18 people using Veracode and two of them are administrators.

Veracode is accessed via a website on the internet. Their backend team takes care of any maintenance that is needed.

We use Veracode mainly for identifying any vulnerabilities in the software. We do a lot of development, and before we deploy any product to our client environment, we want to make sure there are no vulnerabilities in the code and also follow best practices. 

We run scans to identify the criticality of these bugs and vulnerabilities, and we try to mitigate them. If it's not possible, we get an exception. At least we are aware of the vulnerabilities in our code, making sure our code is secure and not exposed to any threats like hacking.

In my organization, we have a policy in place. Every company has a different policy; at least our company has specific requirements where we expect everyone to build the tool or the software to some extent, following some best practices. 

Veracode helps us embed those policies into the scan. When we run the scan, the administrators have already set the policy, defining what needs to be checked and what can be ignored. It helps us when we run the scan because it provides a score based on the policy level. This score certifies how well the tool has scanned the code. 

We can then show this certification to demonstrate that the product meets the required standards and can be trusted without any issues. So, we are working with the solutions policy reporting to ensure compliance with the industry standard.

For our product, we use static analysis. We're not using any agent-based solutions, but we are planning to hook it into the CI/CD pipeline in the future.

Veracode has been helpful because, in the past, we used to integrate Veracode scanning into our CI/CD pipeline. Sometimes, what happens is a junior developer sees a third-party library and thinks, "Oh, this tool is helpful," and they bring it into our system to build something.

However, even if it's a third-party tool, we don't know what vulnerabilities that code may have. At least now, whenever we push code, Veracode can catch any vulnerabilities, and if it fails our build, it prevents us from deploying that code into our environment. It clearly states, "This code has a vulnerability; I can't deploy it." So, it effectively blocks us from deploying risky or vulnerable code in our tool. It helps us quickly assess the risk of third-party tools and take action promptly instead of building something and realizing two months later that we need to go back and fix it. That's not going to happen; we can identify and resolve issues within a day.

The tool is great in terms of ensuring our code is clean, recommending best practices, and capturing the flaws in third-party components.

Veracode has an impact on our organization's overall security posture. Because when we do development for internal purposes, we don't run a Veracode scan very often. But when we work in a client environment, if they want us to build something for them, we absolutely need to ensure that we haven't introduced any flaws or problematic code into their system.

Veracode helps us maintain the reputation and branding of our company, which is crucial for us. It's important to ensure the code is free from vulnerabilities and not exposed to hacks. It is very important to us.

The most valuable feature is Veracode SDP, which allows for something related to third-party vulnerabilities. When we build a product, we use a lot of third-party libraries instead of building everything from scratch. We just use a library which has already been built; we just use that component in our product. Sometimes, these libraries may have bugs or issues, and it's hard to keep track of them because we use thousands of them.

Veracode's tool scans every single library and gives a dashboard showing the number of libraries, high and low criticality issues, and whether a product has any issues. It helps us assess the libraries and decide whether to resolve the issues or replace the library to minimize risks.

I like the solution's ability to prevent vulnerable code from going into production. It does a pretty good job in most cases, but I have seen a few false positives in the code scan. It means that sometimes, like recently, we run a scan where we encounter a part of JavaScript code where it's just a string evaluation. Despite not posing any real threat, the system flagged it as a potential vulnerability, suggesting it could be exploited to hack into the system. We looked into that code and found it wasn't the case; it was a false positive. It wasn't a big issue because we reported it to Veracode, and they made an exception and resolved it. It does a pretty good job, but sometimes it can be very misleading.

However, the solution's false positive is not a big deal because it's very minimal. Veracode does a very good job, but 99% of the time, it works well. Only, like, 1% - 2%. Like, sometimes we manage false positives. It's not a big blocker as well. Every software is not perfect. Also, these are very minimal fixes. Sometimes, if we raise a support ticket to mitigate this issue, the response is also pretty good, and it can be resolved within one or two days. So it's not that big of a deal.

One area for improvement is the navigation in the UI. For junior developers or newcomers to the team, it can be confusing. The UI doesn't clearly bundle together certain elements associated with a scan. While running a scan, there are various aspects linked to it, but in the UI, they appear separate. It would be beneficial if they could redesign the UI to make it more intuitive for users.

In future releases, I would like to see some features. For example, there's a library we use as a third-party library. Sometimes, Veracode indicates that we can't use a particular tool because it has a lot of vulnerabilities in the code. It would be nice if Veracode's scan could show an alternative library to use instead of the one flagged as problematic

So instead of us having to go back and research, trying to figure out what other tool we can use as an alternative, if Veracode could provide those recommendations within the tool itself, it would be nice.

I've used the product for almost three to four years, but it's been a while since I haven't used the tool. But I started using this solution again. I started working on it again in the past month.

Veracode is 100% stable. We haven't encountered any issues.

It is a scalable solution. Veracode has a concept called Sandboxes, which is an amazing feature and pretty useful. I can kick off multiple scans, and they all run independently. There's no interference between scans. So, it's highly scalable, and we haven't had any issues with it. It is good.

For our team, we currently use it for two projects.

I've personally interacted with the customer service and support recently for a few issues, and their support is amazing.

Positive

The initial setup is very easy. It's not that complicated.

Moreover, the false positive rate of static analysis can affect the time spent on tuning policies. It took at least one day for me to raise that mitigation and approval ticket to look into it. Veracode needed to spend, like, six to eight hours, which essentially goes up to a day to resolve it.

The solution has 100% helped our developers save time. 100% right now in terms of ensuring the code is good and deploying it safely. Veracode definitely helps us be very confident when we go for product releases. It has helped our developers save time.

As a lead developer, it takes me one or two days to set up everything in Veracode scan. Once it's set up, the junior developers don't need to do a single thing. They just push their code, and they don't even realize that a scan is running in the background. So they don't need to worry about it. However, in terms of readiness for the production release, Veracode definitely helps us be confident and quickly identify the risks. There's a huge benefit in that area.

In the beginning, two or three years back, we were pretty new to Veracode, and we did seek help from the Veracode consulting team. Their support is amazing. If I send an email for any help, they respond within 30 minutes. Their response time is good, and they provide clear guidance.

I've personally interacted with them recently for a few issues, and their support is amazing.

So, initially, we did take consultation when we set it up, but once we became comfortable and familiar with the process and the documentation was also clear, we started managing it ourselves.

For the implementation process, a developer pushes changes to the master branch or a feature branch the first step is to trigger the Veracode scan in the CI/CD pipeline. We use Azure DevOps for this.

The next step is to include the code in the Veracode scan. This is the second step. Before going into further steps like building the Docker image and containerizing the application for deployment, we have a condition in place. If the Veracode scan doesn't complete successfully, we don't proceed to the next step, and the entire build fails.

We don't need a lot of members for the deployment part. It's only me and my technical expertise, like, one or two people. Any DevOps is enough.

We don't see much need for maintenance. It's pretty easy to manage. Veracode is also maintained by a dedicated team internally, and they provide support for everyone within the organization. So, if there are any upgrades or maintenance required, they take care of it. But from our team's perspective, there's no need for ongoing maintenance. We set it up once, and that's it.

The solution reduced the cost of the development setups for your organization. It is a key feature of Veracode. Once you set it up for the first time and integrate your CI/CD pipeline with our DevOps cycle and the Veracode scan, it takes two or three days to set it up initially. 

But after that, it's a one-time effort. You don't need to do anything further. You need to kick off the pipeline, and it runs the scans automatically, providing artifacts for you to review in the report. So it helps in the long run. Once you have your project set up correctly, there's no need for manual intervention at all once it's hooked up. It's a significant long-term benefit.

We have a dedicated team that handles research, but I personally have only used Veracode for scanning. Our team used to use SonarQube.

Our company used to run both Veracode and SonarQube scans for certain projects. Sometimes, some of the scans were not included in Veracode, so the team used SonarQube for those. However, this was quite a while ago, about two years back.

I would suggest starting Veracode scans at the earliest stage of development. It's crucial to catch vulnerabilities and risks early on so you don't invest too much time building something only to realize later that it can't be used due to a lot of issues, especially with third-party components. Using these tools as early as possible will benefit you in the long run and allow you to ship your product more quickly.

Overall, I would rate the solution a nine out of ten.

It's a fast solution, so we use it to search for vulnerabilities in our code, software composition analysis, and to search for vulnerabilities in our libraries. 

We have some security gates and it's not possible to release some applications from production. We can look at the solution and see medium, high, or critical vulnerabilities with ease at every stage. 

The speed is the most valuable aspect.

Veracode's ability to prevent vulnerable code from going into production is very good since we have a few false positives. I'd rate this feature nine out of ten.

Veracode's policy reporting for ensuring compliance with industry standards and regulations is great. It has a detailed report that we can look at to see our landscape easily.

Veracode provides visibility into application status at every phase of development Verticode static analysis, dynamic analysis, software composition analysis, and manual penetration test throughout your SDLC. It positively affects our DevSec processes. It's not possible to bypass Veracode. It's very secure.

There are very few false positives. I'd rate the false positive rate as nine out of ten. It's very good. It's very positive for developer confidence. They understand security development very well and Veracode provides excellent transparency.

It's reduced the time we've spent on tuning policies. We've saved around two hours. We used to waste around 3 hours and now we can do what we need to in 30 minutes.

It's helped our team fix flaws. The security gate helps our developers learn how to fix vulnerabilities. The solution has also helped them save time in their efforts. It provides descriptions of how to fix certain items. It saves them from having to search on the internet for fixes.

The solution has had a positive effect on our security posture. I'd rate it nine out of ten. We have very secure applications. 

They could improve how they fix vulnerabilities. They could have more support in place to help the developers. That would help a lot of users.

The pricing can be improved. It is really, really expensive. 

I've been using the solution for five years. 

I'd rate the scalability nine out of ten. 

We have about 500 end users of Veracode in our organization.

I'd rate the scalability ten out of ten. It's very good. 

Technical support is good. They are always communicative and share news and new technologies. They offer new languages and frameworks regularly.

Positive

I previously used Checkmarx in the past, as well as Fortify. I used it in another company. However, in banking, it's not possible to use something like Checkmarx. Veracode is more secure and more trusted. 

I was involved in the deployment. It was not complex to deploy. It was straightforward. The implementation strategy included looking at different flags and vulnerabilities and deploying in phases. 

We had five to seven people to deploy the solution.

I'm not sure if there may be maintenance required.

We used a third party to help with the deployment. Our experience was good. 

I'm not sure of the exact amount saved, however, we have noted an ROI. We have avoided application vulnerabilities in production. We don't need to rework things since we look at the vulnerabilities right in development instead of after deployment. 

It has reduced the cost of dev backups in our organization. 

The pricing is expensive. 

However, if you have applications and not enough people to analyze the flags, you must use Veracode as it delivers very few false positives.

I did evaluate other options before choosing Veracode. I looked at Checkmarx and Fortify as well as a solution made in Brazil.

We are a customer and end-user.

I'd rate the solution nine out of ten.

I'd recommend the solution to others. 

We use Veracode as part of our development pipelines. It gives us security feedback when we run our applications. Our applications are completely containerized in Docker images with a .NET 4.6 architecture. These are web-based applications, so we want to know that all the HTTP requests are secured. The tool provides us with feedback to ensure that our application security is robust. 

We are primarily running Veracode to check for vulnerabilities after the build. There is no pre-build process. We are running a post-build static analysis and dynamic analysis. We run it at the end of the development process. 

Veracode's ability to detect security vulnerabilities is excellent. We can feel confident that none of the vulnerabilities will make it into production. It doesn't take long to realize the benefits from it. The interface is intuitive. We could start to see value from Veracode within a couple of weeks. 

We don't have many false positives. We're using the tool's default rules and haven't done much customization. We can feel confident in the solution's results. 
We can identify most of the issues before the production stage, and it also enables us to develop better practices in the development process. We also have a security testing team using Veracode to discover vulnerabilities. The discovery of issues after static analysis is super-efficient. It reduces our time spent on these tasks by about 30 percent. 

Veracode has had a positive impact on our overall security posture. It's comprehensive, which is critical because our applications are mostly integrated, so we don't want to take any chances. 

One thing we like is the secret detection feature. It has helped us to discover keys stored in our settings file as a TXT document. We can address that vulnerability by using encryption. We can even scan Docker images for vulnerabilities. Static analysis is another good feature of Veracode because we can run a security scan during development to identify the vulnerabilities.

Veracode helps us prevent vulnerabilities from entering production. We can put it into the pipeline and set an acceptable limit for vulnerabilities. If the number of vulnerabilities is under the threshold, we can deploy automatically. 

Veracode's container scanning could be improved. We containerize all the platforms we use inside a Docker image. For example, we create a Microsoft Docker image that we build our application on top of. I would like Veracode to implement IT scans before we commit the code.

I have only used Veracode for a year.

Veracode is stable. 

Veracode is scalable.

I rate Veracode support eight out of 10. 

Positive

We evaluated another solution briefly but we decided to keep Veracode. Veracode has some issues with container scanning, and we have some container-based applications. We considered bringing in another tool for container scanning, but it was too expensive and Veracode was able to mitigate the issues well enough. 

Veracode is affordable. It offers a good value for the security benefits it offers, especially if you're working with applications that involve payment processing. You cannot afford to take chances there. 

I rate Veracode nine out of 10. I recommend Veracode, depending on the type of application you are scanning. It's a leading solution in this domain. Veracode is the first name that comes to mind when people are talking about security scanning. 

My company is a financial and technical enterprise with involvement in healthcare as well. We use Veracode for scanning, utilizing both SAST and DAST approaches. The purpose of static testing is to assess our code for vulnerabilities before deployment. After completing this step and addressing any identified issues, we run dynamic application security testing on the applications we've created to ensure there are no vulnerabilities introduced after the build. These could be issues that arise during the execution of the code, rather than being inherent to the code itself.

Additionally, we are currently considering or in the process of transitioning to Veracode for a specific function known as Software Composition Analysis, which is among the services they offer.

In terms of my use cases, I oversee approximately 200 development teams managing around three to four hundred projects. About 30 percent of these projects are connected to Veracode. Moreover, I manage a user base of over 700 individuals, and many of our build pipelines include immediate SAST scanning during the building process.

We currently use Vericode Cloud, specifically the public cloud. At the moment, I am in the process of deploying two Veracode ISM management servers from their platform. These servers will be responsible for scanning our internal applications that are not exposed to the external world. One significant aspect is that our company decided to transition to the cloud approximately three years ago. Initially, we had 27 data centers scattered worldwide, but now we have reduced that number to five. By the end of this year, we plan to further decrease it to three, and eventually, we will likely have only one or two data centers in the future. However, there are certain things that we cannot migrate to the cloud.

Veracode's ability to prevent vulnerable code from being deployed into production is excellent. It is considered one of the best scanning tools available. We have conducted several comparisons between Veracode and other products in the market, and Veracode consistently ranks first among those we have tested.

With Veracode, the amount of vulnerable code that gets through is almost negligible. When we run a scan, we don't expect to find any significant vulnerabilities because the SAST usually catches almost everything.

Veracode's policy reporting for ensuring compliance with industry standards and regulations is excellent. It is applicable to us as a multinational company with PCI and HIPAA requirements, and we also engage in government projects. Consequently, we are obliged to adhere to any relevant regulations, which is why we have implemented numerous policies that automatically alert us when any action might potentially violate the established guidelines.

Although Veracode can offer visibility into the application's status at every phase of development, we do not rely on manual penetration testing because we have our own testing team. Instead, we use SAST from the moment our developers start typing the code until the deployment phase. 

The visibility has significantly expedited our DevSecOps process. Now that we've integrated Veracode and included it in our build pipelines, we can provide feedback on potential issues and vulnerabilities in their code much more quickly. Our team appreciates and is delighted with this improvement because, previously, we had to wait until the builds were completed, then run DAST and subsequently present them with ten pages of issues, which would take them ten to fifteen days to address. By adopting a left-shifting approach, we've moved the bar further to the left, reaching a point where we can hardly get closer than we are now while they are actively coding. The only way to provide them with even faster information about potential vulnerabilities in their code would be to offer feedback as they type and when they push the code to the main build. Unfortunately, as of now, there are no tools available that can accomplish this.

Veracode has been a great benefit because it allows developers to log in to their code and examine the specific vulnerabilities they were informed about. Typically, there is a description of why and how the vulnerability occurred, along with guidance on how to resolve it. Veracode significantly aids our organization in fixing flaws.

Veracode helps our developers save time. While I cannot provide a precise estimate of the actual time saved, I can explain that the more we shift the SAST to the left, meaning running it as soon as the developers enter their code, the more time we can save. This is because when developers have the code fresh in their minds, they have a better understanding of what they wrote and how to fix any vulnerabilities based on the provided descriptions. On the contrary, if we shift the SAST further to the right when the code is already completed and possibly being reviewed by a different developer, it will take more time for them to understand the original code and the vulnerability's context. Thus, the original developer could have fixed the vulnerability in a shorter period of time. Additionally, considering the learning curve for new developers down the line, it becomes even more crucial to have the original developer fix the vulnerability promptly. If we only run DAST without SAST, we might end up with a long list of ten thousand potential vulnerabilities, which would require weeks of work just to address them all sequentially from the start.

Veracode has had a significant impact on our organization's security posture. When I first arrived, we were only connected to about three different teams. Originally, we only had seven or eight teams. Now, we have almost two hundred teams. One of the most significant changes is that even with those seven or eight teams, only two or so were using Veracode. However, we gradually added more teams as they came on board. Subsequently, there was a major organizational change, and Teams were divided into smaller, more compact, and agile units, which is the new trend in the industry. As a result, the teams are now much smaller, more diverse, and more agile. We are now connected to 70 percent of the two hundred teams. We have expanded considerably, but there is still more to achieve. The efficiencies have improved significantly, and the developers are satisfied with this progress. This shift is excellent for security because we were usually known as the "no people," but now we are transforming into the "yes" and "let me help you with that" people.

Veracode has reduced the cost of our DevSecOps, just from the 25 percent time-saving. The most expensive factor is not computers or technology, but rather, it's people. If I were to add together all of the salaries of the individuals and compare the amount of time saved to the total salary cost, I could cover the expenses for my infrastructure twice over a year. 

The most valuable feature is the SAST capability and its integration into the Veracode pipelines.

From what we have seen of Veracode's SCA offering, it is just average. The SBOM is adequate, but it's essentially the same as what everyone else is doing. In terms of SCA, they are about average compared to other systems. Therefore, I would like to see some improvements. 

SAST, DAST, and SCA in a single pane of glass would be a good upgrade to Veracode.

We are a Jira and Confluence shop and I would like to have a really good integration with those tools. 

We have a ticketing system that not too many companies have ever heard of. In fact, I had never heard of it before coming here. Instead of using a well-known industry standard like ServiceNow, we use a ticketing system called Cherwell, which also has an open API. Having an API for the ticketing system would be really beneficial.

I would prefer if Veracode offered more options for licensing, such as a pipeline or project license instead of a user license. Currently, I have around seven hundred users, but I manage fewer projects. Therefore, I believe it would be more beneficial and efficient for me if Veracode could adopt a project-based pricing model. In reality, I have multiple teams working on various projects simultaneously. Pricing based on the number of projects I have up and running would be more suitable for my needs compared to the number of developers working on a particular project.

One thing that I would like to be able to do is to receive a daily summary of the emails I currently receive. With numerous ongoing projects, constant scanning occurs, resulting in a high volume of emails about what is being processed. I believe it would be helpful if Veracode could create a daily summary of these emails. This way, I can easily track the number of actual emails I receive without having to go through each one individually. As of now, I already have 65 emails from Veracode, specifically regarding the processes that ran today.

I have been using Veracode for three years.

I have almost never seen any downtime with Veracode.

The scalability is excellent because we utilize Veracode on their cloud infrastructure, and we handle dozens of projects daily.

I've never had a problem that didn't get solved, or at the very least, get immediate feedback. So, I would say their technical support is very good.

Positive

I previously utilized a solution provided by IBM in my previous organization, but later we transitioned to a company named WhiteHat Security. The reason for this switch was that when we conducted a scan using the IBM solution, it returned a result of ten thousand vulnerabilities. It was my responsibility to review the vulnerability report and clear out any false positives. However, this task was extremely time-consuming, taking nearly forty hours to complete. The reason behind the prolonged effort was the spidering scan performed by the IBM solution, which continually traversed different pages through various links, leading to repetitive errors that required matching and deduplication. Out of the ten thousand vulnerabilities, approximately a thousand were legitimate, and the scanning capability was limited to DAST. To address these challenges, we migrated to WhiteHat Security. With WhiteHat's scanning process, the number of vulnerabilities was reduced significantly to around six or seven hundred. Their approach outperformed my manual efforts in identifying duplicates and further eliminated non-duplicate vulnerabilities that were caused by the same piece of code.

When I joined my current company they were already using Veracode.

The initial setup was straightforward. We connected to the Veracode cloud, so essentially, we are operating on their public cloud. Whenever we run any process, we send our code to them. They execute it, and we receive feedback from the execution.

I have not been involved in the initial deployment of Veracode, but I have been involved in deploying the pipelines, creating and building out the ISMs, and also administering users. Recently, we moved and integrated it with our single sign-on. Since we're using Okta, we performed the integrations, and now everyone connects through Okta.

We utilized a value-added reseller, and they provided integrators themselves. Additionally, we have direct connections with Veracode. So, my understanding is that we likely received assistance from both the value-added reseller's team and Veracode.

We have monthly calls with Veracode. I work directly with engineers and have access to their email addresses and telephone numbers. This way, whenever there's a problem or an issue, I can easily reach out to someone. Additionally, I receive almost daily emails regarding recent developments and occurrences.

We have seen a return on investment. We have two hundred teams, and approximately 70 percent of them are integrated with Veracode, running pipeline scans on about 50 percent of those. The remaining teams conduct manual SAST scans instead of using pipeline scans. We have likely saved 25 percent or more of the time it takes developers to go from a startup project to the final build and deployment, just by addressing vulnerabilities.

We pay based on the number of developers working on a particular project.

Our organization evaluated four or five different solutions before selecting Veracode. The issue with the others was that they only offered either SAST or DAST, but not both, whereas Veracode provides both.

I would rate Veracode an eight out of ten. Veracode needs to improve its SCA capabilities to become a market leader rather than a market follower. Another noteworthy area they are starting to focus on is container security. I assume they will compete with Laceworks and other companies in that domain, which makes it worth keeping an eye on.

Veracode's software build of materials feature is integrated into the software composition analysis, which we are currently exploring for utilization. However, at this time, we are using a third-party product for that purpose.

Veracode's false positive rate is very low based on what we have found. However, there are instances where it becomes confused, identifying one type of vulnerability when it is actually a different type that appears similar. Nevertheless, we always conduct verifications before approving a list of vulnerabilities for the developers to address. We thoroughly go through and verify at least most of the different types to ensure their validity. My team verifies the false positives, so the developers almost never see them. Because we don't encounter many false positives, we don't spend a lot of time fine-tuning policies. We'll make some minor adjustments, and it should mostly resolve the issue until we encounter a different type of false positive. Then, we'll have to address it separately.

One of the other things that I have observed recently is a tool called Veracode Fix. We have not examined it yet, but it's worth considering. Normally, we avoid implementing too many automated fixes because sometimes they end up causing even more issues, particularly when dealing with legacy code while transitioning to Veracode. Allowing automation could potentially lead to the application being permanently shut down, especially in cases like Software Composition Analysis and Software Bill of Materials where we may need to upgrade to a different or less vulnerable, open source piece of code. If we upgrade without ensuring compatibility with our existing setup, it could break numerous things. Hence, we previously attempted to use automated fixes, but the outcome was negative, and we have decided never to repeat that mistake. Therefore, it's something we plan to explore, but we need to ascertain if there have been any changes in that type of setup.

For someone who wants to use Veracode but is concerned about the cost, the amount of time saved, especially on the SAST side of things, makes it worthwhile.

We are a multi-cloud organization primarily using AWS, with 25 percent of our infrastructure on Azure and a smaller portion on Google Cloud. We are currently using Google services only because we are a Google shop rather than a Microsoft Office shop. As a result, all of our emails are managed through Google, and we rely on Google Docs and other related tools. 

There are four architects and a group of DevSecOps professionals who work directly with the development and operations teams. They form the security component of the organization and are responsible for operating Veracode on a daily basis. Their primary role is to assist the developers in integrating Veracode into their workflows, setting up pipelines, and collaborating with them when vulnerabilities are identified. They are available to help the developers understand why they received a vulnerability and guide them on how to address and eliminate it.

The only maintenance we will have to deal with is related to the ISM servers. These ISM servers are actually controlled by our company. There is an on-prem link to the Veracode cloud. When they conduct their scan, they access the server, which acts as a jump box. This enables them to scan our internal applications that do not have direct access to the outside world.

Veracode is a good Dynamic Application Security Testing tool, but it excels as an outstanding Static Application Security Testing solution for organizations that prioritize serious security measures.

We use it primarily for our application security concerns. We use the dynamic, static, and SCA scanning tools. We run our static scans after the code is compiled, and that gets uploaded automatically through our DevOps tool. We have installed an agent in one of our cloud servers that is behind a firewall to run the dynamic scan against the runtime. We run our SCA scans when we do the static scans, which is after compilation.

Prior to using Veracode, we hadn't really looked into security features or thought about security in the same way that we have since we started using Veracode. We were focused on what you hear about in the news, such as making sure that it is HTTPS secured. We hadn't really dug into the nitty gritty of application security and scanning our source code, running it against a runtime environment, and looking at the actual third-party solutions that we integrate or use in our code. Veracode has helped with our mindset as an organization to start thinking about things more securely by design rather than as a reactive measure. We're being more proactive with security.

Veracode's integration with our continuous integration solution is what I've found to be the most valuable feature. It is easy to connect the two and to run scans in an automated way without needing as much manual intervention.

We feel very confident about Veracode's ability to prevent vulnerable code from going into production. Having the stamp of approval helps not only from a marketability standpoint but also from an overall good feeling within the organization that we're doing our part to help keep our code free from vulnerabilities.

This solution provides visibility into application status at every phase of development. It goes from compiling the code all the way to running it in production. It covers all major aspects of the SDLC. We run static scans and SCA scans early on in the process to make sure that we catch any code that is insecure by design. If we are able to catch it earlier on, before it's actually out in the production environment, it reduces costs. The dynamic scans are run further along in our QA process. That is, once we've deployed the code and have it in a runtime environment, we run weekly scans in a dynamic environment against the code runtime to make sure that there aren't any new vulnerabilities that got introduced. We are looking at doing manual penetration testing in 2023, where we would be using a spinoff of the code that was released to the customers to make sure that there aren't any holes through which a nefarious actor could get in and exploit what was built.

Veracode's false-positive rate is low. The few instances when it looked like there were false positives, the issues were found to be either true vulnerabilities or things that were that way by design. If a developer thought that there would be a ton of false positives when using the tool, it would then diminish the value of actually using the tool. Veracode touts itself as being a tool with the lowest false-positive rate in the market. It gives inherent confidence in the tool itself, and developers are more inclined to think that if it found something, it's pretty likely that it is not a false positive. They would then work to prove it wrong rather than discounting it without even looking into it.

We haven't really found many false positives with static analysis, and there hasn't been a significant impact on our time and cost related to tuning, leveraging data, and machine learning.

Continuous integration linking definitely saves a lot of time because it takes away the step where a developer needs to manually upload the code every time to do a scan. It can run in the background, and having the Visual Studio plugin includes it directly in the development environment. If developers do get assigned a bug that they need to fix, they can pull it right up in their development environment and not have to log in to the portal. It will all be right there.

I'm primarily the one who has been involved in DevSecOps, and Veracode has definitely reduced my time. If we had gone with a conglomeration of open-source tools, it would've taken me a ton more time. Whereas with Veracode, all the documentation is out there, and I'm able to integrate everything that I need from a usability standpoint. I don't have to learn a new tool every time I need to integrate a new security scanning option. It has helped me tremendously and has saved me a lot of time.

I do expect large applications with millions of lines of code to take a while, but it would be nice if there was a possibility to be able to have a baseline initial scan. I know that Veracode touts that there are Pipeline Scans that are supposed to take 90 seconds or less, and we've tried to do that ourselves with our ERP application. However, it actually times out after two hours of scanning.

If the static scan itself or another option to run a lower tier scan can be integrated earlier on into our SDLC, it would be great. Right now, it takes so long that we usually leave it till a bit later in the cycle, whereas if it ran faster, we could push it to the time when a developer will be checking in code. That would make us feel a lot more confident that we'd be able to catch things almost instantaneously.

I've been using Veracode for a little over a year now.

I haven't had any stability issues, bugs, or glitches.

The scalability is really good. I recently added to the solution some new applications that I learned about late in the game. There were probably 10 that I had to add in rapid succession and scan as well. It was very quick and painless.

Veracode's technical support is very responsive, and I've heard back within 24 hours regarding a couple of issues I've entered. We have actual consulting calls, which are a scheduled event, and I like the way they handle those as well. I have nothing but good things to say about them and give them a rating of ten out of ten.

Positive

I was involved with the initial setup of Veracode, and it was straightforward. We had a third-party vendor who was evaluating it, so a little bit of the setup was done. However, adding a new application to the tool is easy and self-explanatory. It doesn't take much time at all, and the documentation is out there if we need to look up anything.

We implemented it with the help of a third-party vendor. They had two people on their team who were working on the deployment along with me. My responsibilities included adding all of our software to the tool to run scans against it, integrating it with our DevOps solution, discussing the tool itself with internal stakeholders as to how they can use it and showing programmers how to use the tool from an internal adoption standpoint.

I know that Veracode is a semi-pricey solution. If you are serious about security, I would recommend that you use an open-source option to learn how the scanning process works and then look into Veracode if you want to really step up your game and have an all-in-one solution.

We evaluated a couple of open-source tools such as Snyk and SonarQube against Veracode with the help of a third-party vendor. We didn't use any of those and landed on Veracode because of the Veracode Verified seal. This, along with Veracode being the market leader, gave Veracode an edge over the others.

The main difference between Veracode and the solutions we evaluated is that Veracode is an all-in-one solution. Though an open-source solution would've been more cost-effective, we would've had to use a bunch of different tools. It would have required more knowledge to do the integration piece and would've taken a lot more time and effort. There would have been invisible costs associated with it just by the virtue of time. In comparison, Veracode's dynamic scan, static scan, and software composition analysis are all in one place.

My advice would be to look at the open source tools out there and see how far along you are in your security journey and what your needs are. If you're looking for the best in the market, Veracode is a great option, as far as paid solutions go, because it's a one-stop shop. If you have more time at your disposal and you don't mind integrating some solutions, then I'd recommend an open-source tool. However, if you have the resources, I would definitely recommend going for Veracode.

On a scale from one to ten, I would rate Veracode at nine.

We use Veracode for dynamic, static, and software composition scanning. Veracode is a SaaS solution.

Veracode has exposed many flaws, and the Security Labs have helped train the team to understand security and fix flaws. You don't know what you don't know. They've shown us what we don't know so we can identify and fix our security issues.

Veracode effectively prevented vulnerable code from going into production. I have a hard time validating that assumption, but I think it's good at that. It seems like it does a lot in terms of compliance with industry standards and regulations. 

We've requested some features for fine-tuning the ability to craft the policy and what can break a build. It was disappointing that they didn't add that. However, we've used the policy features and were able to report on it, so we were pleased with that. It can create custom dashboards and see which applications are breaking a policy. We get a lot of metrics on those scans. 

We have Veracode built into our software delivery pipeline. Automation was our objective when we started evaluating Veracode. We have a high degree of automation in our regular scanning. Every day we do software composition scanning and static analysis, and we do weekly scans using aerodynamic analysis.

The automation features have saved us tons of time because we don't have to worry about whether it is getting done. Tackling security requires a massive time investment. The value we get from it is that our apps are more secure.
Veracode has raised our leadership's security awareness. This tool has generated more conversations around security and ways we can protect our software.

Veracode Security Labs are fantastic. My team loves getting the hands-on experience of putting in a flaw and fixing it. It's interactive. We've gotten decent support from the sales and software engineers, so the initial support was excellent. They scheduled a consultation call to dive deep and discuss why we see these findings and codes. That was incredibly helpful.

Veracode's static and software composition scanning has been most beneficial for us. We already use a competing product for dynamic scanning. 

Their platform is not consistent. It needs a lot of user experience updates. It's slow performing, and they log you out of the system every 15 minutes, so using the platform is challenging from a developer's perspective because you always have to log in.

I've been harping on it for the last two years. They try to compensate for that by building a relationship with staff. We keep asking questions we wouldn't have to ask if they had a better user interface. They would save their staff time and save us a lot of hassle. 

They claim to have the best false positive rate. It's hard to judge, but we've had several false positives, and the solution's inability to resolve them has been incredibly frustrating. The ability to schedule a consultation to talk through what's going on has been helpful. Still, I'd like to see the capability to act on false positives and resolve them in the application instead of us marking things as false positives. That's where they need to improve.

It has occupied my team's time because they're escalating the issue from support to engineering. They've been consulting my developers. They raise issues but don't spend time duplicating the issue. They close tickets saying it's not a problem or misunderstand what's being requested. They need to mature in that area a lot.

I've been using Veracode for about two years now.

I have some concerns about the leadership. This is only speculation, but I believe some leadership decisions have created a ton of turnover at Veracode. The solution was sold to another company, impacting us because we constantly get new contacts to work with, so we always have to ramp them up to speed. They're not necessarily as skilled as the prior contacts we've had. 

Is Veracode taking care of their staff? Are they keeping the people they need to support their customers? There have been months when I just had turnover fatigue from Veracode because we're constantly getting new contacts to work with. One thing that sets them apart is that we have a direct contact we can go to when we need an issue escalated or we need help understanding how something works.

I don't have any concerns about scalability.

I rate Veracode support two out of 10. When I raise issues, I expect support to bend over backward and be grateful that we're pointing out problems in their system. They should work to understand what we're talking about and reach out to us. 

I expect to meet with them, and I've never had a meeting with them to talk through issues. That's not how they work. Also, I feel like their staff isn't very skilled. They don't understand things and insult my developers. The support is terrible, but other Veracode staff has been exceptional. We always have to lean on our customer support contacts to determine why a ticket was closed. What's going on here? Can you escalate this? We're not getting any traction on that. 

Negative

I previously used Qualys. It had terrible support and wasn't supported well enough at the university. Also, Qualys is not a full-app security solution. It only did dynamic scanning and lacked the flexibility we needed.

Setting up Veracode takes some effort. Their web interface isn't too intuitive. It's also slow, which poses a challenge when setting it up. Veracode provided some help getting it running. 

We did it ourselves with help from Veracode. If I had to do it again, I would do it all ourselves, too, because we got the support we needed from Veracode and didn't require a consultant's extra expertise. Veracode was that expertise. 

After deployment, Veracode requires routine maintenance. Their platform is down sometimes. Our nightly builds occasionally get stuck, and we must reach out to them. There is scheduled maintenance and dealing with issues as they come. I don't know if you necessarily call that maintenance, but it's time-consuming.

It's hard to quantify ROI on security. It makes us feel better. We have all this scanning, and we're identifying where we are vulnerable. If it prevents exposure, it saves us millions of dollars. There's potentially a considerable ROI, but it's speculative at this point.

The cost has been a barrier to broader use here. I think my team is the only one at the university. Other folks might like to use it, but it's pretty pricey. You could see what else is in the market, but I hear that's the price for most solutions. You might not find a better deal in the market, or it might be an incomplete solution. For the level of interaction we get with Veracode staff, it's been pretty good.

Right now, we've had a little more interaction with Veracode staff because they want to sell to the rest of the university. So they've been willing to meet with us frequently, answer questions, and get on support for issues that get closed when they shouldn't be closed.

I rate Veracode seven out of 10 because I have a beef about their support. Their turnover is impacting us, and we have concerns about how they treat their staff. We love Security Labs. We like the dashboards and reporting. I feel like Veracode wants to see us succeed on their platform, which goes a long way. They want to help us meet the goals set when we started using this product. That's a value add they provide. They do a great job finding security flaws.

At the same time, we have issues with support, platform usability, and performance. If I met a prospective Veracode user, I would point out those issues but also mention our positive experience with the solution engineer and sales staff. They've been accommodating and always willing to work with us.

Veracode helps us identify bugs and flaws in our code while operating it. We use the solution's static analysis feature to analyze code before running applications dynamic analysis that scans the app while it's running.

We typically run Veracode at the end of the development phase when we are ready to launch our software. We also scan for vulnerabilities after the software goes into production. It's the final phase of our development cycle.

Veracode has reduced the amount of time we spend manually investigating our code. It has also enabled us to identify and fix bugs earlier, so we don't need to release patches after a product is launched. 

The false positive rate is quite low, which is critical. If it had a high false positive rate, it would be difficult to trust this software. We can discover lots of errors and bugs manually, but this software enables us to clear any error or compliance issue with a low false positive rate. It's highly efficient in that sense. We can trust the process, so we spend less time investigating issues manually.

In one development cycle, Veracode usually saves us four or five hours of human work that goes into checking the code, finding errors, and fixing them manually. The remediation is also built into the software.

Veracode is easy to use even if you're not a security professional. I like the dynamic analysis feature, which offers a lot of cost savings when used in production. Veracode helps prevent vulnerable code from entering production, and it has a low false-positive rate, so it can reliably find real vulnerabilities. 

The software bill of materials feature has proven helpful in finding bugs and flaws that may cause problems in our product when we launch it. It has helped a lot to exponentially reduce the cost after the launch cycle. It is quite easy to create reports and perform a detailed analysis because much of the process is automated. It can fix most issues automatically.

The scanning could be a little faster. The process is around three or four minutes, but it would help if it could be further reduced.

I have used it for four months.

We haven't experienced any downtime since we started using it. It is highly stable. We haven't seen any server crashes from their side. 

Veracode can handle lots of processes, so I would say it is scalable.

I rate Veracode support eight out of 10. The response times are fast. If we have a problem, they respond within four or five hours. 

Positive

The setup process was straightforward, and the Veracode team guided us through the deployment, which took about four or five hours. It only takes one person to install the solution. It doesn't require any maintenance after deployment. 

Veracode has eliminated a lot of manual security processes that cost a lot of money and time. It has saved us lots of time and money for development.

The cost of scanning code is cheaper. It's typically $0.50 per line of code. However, it's expensive to run a high-level process that would normally require a human security expert.  For example, penetration testing costs about $1,000 per application for penetration testing. The cost of these features may be too high for smaller organizations. On the other hand, Veracode's interactive application security testing is fast and cheaper compared to other software. 

I rate Veracode nine out of 10. If anyone is considering Veracode, I suggest trying a demo beforehand so that you can see how it addresses the kind of problems your organization is facing and how it works with the programs you are creating.