Veracode Reviews

We used it for initial discovery and analysis and for reviewing the product. We were doing a trial. We had uploaded code on the Veracode server for analysis.

We used the cloud service or the cloud website where you could interact and identify the artifacts that you wanted to be reviewed, analyzed, and reported on. There was a plugin that we used with some of our IDs. It probably was Greenlight.

It pointed out some areas to be improved that we were not aware of. That was very helpful because if you don't know that there is a problem, you can't fix it.

The analysis of the vulnerabilities and the results are the most valuable features.

It can have more APIs and capabilities to handle other things well. We were doing a trial for it. There were two things that I looked at: one was uploading some Java-related content and the other was uploading database SQL files and having the review done on the quarterback. 

The Java portion of it worked fine, and it was pretty seamless, but the database portion was not. We uploaded some files to use for vulnerabilities, and the tell-all portion of it was pretty easy. We uploaded a war file and Java files, and we got the reports back on these. They were pretty clear to understand. We did the same thing for the database portion for the most part. However, the content wasn't getting uploaded in a predictable fashion, and it was slow and hard to get done. We had to do it over and over. After it indicated that the content was uploaded, there were no results. There were zero search findings. It was possibly a user error, something that we didn't do correctly, but they had acknowledged that it was something they were currently enhancing. This is something that could be made easier if they haven't already done that. I don't know how many releases they've had in that timeframe. I haven't looked at it since then. It was a trial period.

It seemed fairly stable other than the database portion where the SQL files didn't seem to get uploaded.

I didn't think there would be any concerns. We didn't exercise that. We didn't, in other words, try to upload gazillion artifacts and files. We just uploaded a few just to see how they handle it. It seemed fairly robust.

There were about ten Java and database developers who were using this solution. We were all collectively reviewing it and getting feedback on it.

We didn't use their technical support.

There was no other solution.

I wasn't that involved in the setup. I was basically a reviewer after it was all done.

I don't think there was any in-house work. I think it was just all on their server. We didn't have any equipment or any software per se other than just downloading a plugin or IDE, which essentially did the same sort of code analysis.

Its cost for what we needed it for was too high. It wasn't too high for other companies and it was competitively priced, but for us, it just didn't fit. We did plan to use it and increase the usage. In the end, it may have been abandoned because of the cost, but I'm not a hundred percent sure. So, even though we had planned on using it more and more, because of the cost and the business conditions of things, we didn't have the opportunity to really use it more.

There were a few other solutions we had looked at, but they didn't seem to be as robust. They also didn't have good reviews. That's why we chose this solution.

It is a robust software service for security analysis. It seemed to be pretty full-featured. We didn't exercise every single thing. Just a few of the features didn't seem to be up to snuff for our needs.

I would rate Veracode Manual Penetration Testing an eight out of ten.

We use it for security scanning of SaaS and mobile software that we develop: one server-side and two mobile applications. Most customers require SAST and DAST scanning in order to purchase.

It gives us more confidence in the application security of the products we scan. We use it as part of our AppSec best practices. 

It has an easy-to-use interface.

We would like a way to mark entire modules as "safe." The lack of this feature hasn't stopped us previously, it just makes our task more tedious at times. That kind of feature would save us time.

We have never had any problems with the solution.

It has always worked for us, we haven't found any issues. There have been no problems with scanning small and large objects.

Technical support is excellent. It meets our needs.

We had no previous solution. Our choice of Veracode was due to Veracode being a customer and requiring that we use their tool to scan our solution.

The initial setup was straightforward. As it's a SaaS solution, it took no time to set up. But because I didn't take training, I spent a bit of time figuring out the product. No implementation (or strategy for implementation) was required, beyond some simple configuration settings.

No issues, the pricing seems reasonable.

We evaluated no other products for SAST when we started using Veracode. 

Be aware that the first run will find a lot of issues, many of which are not real issues; it will take time to understand that. Don't change object names as that will confuse it. Make sure you get development buy-in early.

We're looking to expand its use within the development organization and are looking into another license. Currently, we have four users of the solution, myself (security) and developers. The four of us also maintain it.

SAST vulnerability scanning. Veracode is embedded in our release pipeline.

It improved our security posture. In terms of cost savings relating to code fixes since implementing Veracode, I'm not sure there are any. How do you quantify reputational damage from a security breach? However, they have provided AppSec best practices and guidance to our security and development teams through our support agreement, weekly meetings, and annual review.

Because it is a SaaS offering, I do not have to support the infrastructure.

Some important languages are not supported.

No issues with stability.

We have encountered occasional issues with scalability.

Tech support is excellent.

The initial setup was extremely straightforward.

Negotiate for the best deal.

Fortify, App Scanner, Checkmarx.

Make sure the supported  languages align with your developers.

Scalability and its optimization of security inspections. At the end of the day, I like the fact that it is all prim. It does not require a lot of support on our side. We get the benefit of security inspections and it scales with our community, which is global. 

It has the ability to scale, and the fact that it doesn't produce a lot of false positives.

Number one, I need analytics, analytics, and more analytics. It is all about risk based management and better decision support, that is why. 

It is rock solid, we have used it now for seven years.

On a scale of one to 10, I would give it an eight. 

We had no previous solution. We didn't know we needed to invest in Veracode. It worked out that way through our evaluation process that it was the right solution for us.

I never give 10s. I would give it a nine. It does nearly everything, but penetration testing. It covers such a broad breadth of our portfolio. In our business, we have applications written in so many different languages. Finding something that can consistently scan and not generate false positives across the paradigm or the whole ecosystem of languages, that is impressive. It is speed of inspection, the accurateness of the inspection outcomes, and frankly, it has fairly good business analytics embedded on the platforms. So, it does a lot more for us than not.

The primary use case is application security and application security testing, specifically static and dynamic analysis, and software composition analysis. It has performed excellently.

The benefits are the fact that it identifies our vulnerabilities, and it has improved us by allowing us to pull everything to the left in agreement with our SDLC and with our developers, and have them not only get buy-in because they can run sandbox scans that allow them not to generate metrics, but also run policy scans where we identify what the policy is and what is acceptable. So, it has helped us secure our company and our applications.

1. The ability on static scans to be able to do sandbox scans which do not generate metrics.
2. Gives us every vulnerability that has been identified, so there is no human intervention. Therefore, we can actually look and prioritize our own vulnerabilities as opposed to having someone else try to get in between.

I would love to be able to do a dynamic sandbox scan. I think that that would allow us to really get a lot more buy-in from the software development teams. We would be able to scan our applications, identify the vulnerabilities, not generate metrics, which would allow the teams to address the vulnerabilities earlier in the cycle, and then have cleaner scans later on.

Also, I would maybe like to see a better report engine.

It is extremely stable.

So far, extremely scalable.

We do have ongoing technical support. We use them more as a backstop. My team handles most of the calls and issues that any of the developers might have. 

CA support has excellent time frames. They are knowledgeable and get back to you with an actual solution, which is always a plus.

The initial setup was very straightforward.

1. It is SaaS, so we did not have to install anything locally.
2. We were able to give our privileged users better roles because it is role-based, and to do multi-factor authentication. All we have to do, once we set up our trust relationship, we have single sign-on and we white-listed everything. So, it is everything that we wanted from a security point of view, and it is easy to roll out.

Static code analysis is a valuable feature.

We were able to easily integrate static code testing into the SDLC process. We moved from the waterfall to the agile methodology, and were still able to integrate Veracode testing within both methodologies.

It's been over a year since I used the product. But when I did, I found there were too many false positives.

I used it for one year.

No issues encountered.

No issues encountered.

No issues encountered.

8/10

8/10

We are planning on introducing a static code analysis tool to support a DevOps effort in our environment. The objective of the solution is to allow the team to identify vulnerabilities in the source code and improve the hygiene of the developed code before deployment.

This is currently still under evaluation, and it is pending review and assessment against other static code analysis solutions.

The solution provides the capability for the application teams to track remediation and the handling of identified vulnerabilities. The system provides workflow capabilities for the application teams to send the completed scans to the security teams for their review. In addition, the security team can track the remediation and risk acceptance statistics.

The solution currently does not support Dynamic Application Security Testing which is an important facet of application security testing. In addition, the current version of the application does not support testing for API.

I'm the manager of DevOps and cloud architecture.

This product has given us the ability to investigate and understand the black zones in our system. 

Veracode can emulate the most sophisticated attack and create unique or specific use cases around automatic penetration testing. It gives us the ability to investigate any sensitivities to vulnerabilities that we may have.

Security can always be improved. I'd like to know how we can better prevent intrusions to our systems and create risk analysis use cases and understand them. What is the level of risk for what we want to do? How can we understand the process better? I'd like to have a better overview of what's going on. 

I've been using this solution for five years. 

The solution is stable. 

The solution is scalable.

There are three layers of technical support and we have used all of them over time. We are happy with the service they provide. 

It's important to understand your environment and know the specific use cases for your organization. Creating good orchestration application metrics is very important.

I rate this product eight out of 10.