Veracode Reviews

We used it for performing security checks. We have many Java applications and Android applications. Essentially it was used for checking the security validations for compliance purposes.

Technically there is nothing wrong with Veracode. The only issue that we have here is uploading the code, the process of actually uploading and getting our results back. All of that is a little cumbersome. 

Technically there is nothing wrong with Veracode. The only issue that we have is uploading the code, the process of actually uploading and getting our results back. All of that is a little cumbersome. 

One of the things that we have from a reporting point of view, is that we would love to see a graphical report. If you look through a report for something that has come back from Veracode, it takes a whole lot of time to just go through all the pages of the code to figure out exactly what it says. We know certain areas don’t have the greatest security features but those are usually minor and we don’t want to see those types of notifications. So we would like to see a kind of a graphical representation of the problem areas. I would like to know which file is the biggest source of issues for me so that I can focus on resolving the issue, as a project manager. With how it is now, I am able to do this but I have to take out the whole PDF file and extract it. It takes up a lot of my time. I would like to see better strategic reporting. It would be great to get better graphical reporting.

Stability is very good and there were no issues. I will give it five stars.

It's very good; really very good. I would strongly recommend that. Technically I would be expecting a double concept for Veracode. I would still say this is one of the best products ever on that website. I don't have any issues with the scalability. 

I had no technical issues at all.

The initial setup can be a little complex for people or for organizations that don't have technical skills. Another small thing is that you need to have one person who's fluent and technically knowledgeable to help during the upload process. But otherwise, it's pretty much straightforward. It's not an issue, it's perfect.

I would strongly recommend doing an internal analysis first, before setting it across to Veracode to proceed and to use it more as a final verification point. My point is that Veracode is very good, and I would strongly recommend it. I have seen other solutions on the market and that's why I say: don't waste your time on other products, just get Veracode.

I would rate it an eight out of ten. Not a ten because of the reporting issues I mentioned that I would like to see improved.

We use Veracode to scan custom-developed code for flaws.

• The volume of unmitigated flaws in our applications has been substantially reduced.
• In terms of AppSec best practices, the team at Veracode has provided industry benchmarks against which we are measuring our improvement.
• Our customers have benefited from the added security assurance of our applications, although they may not know it.

The identification of flaws.

We would like to see improvement in reporting, in particular, end dates on mitigations.

The solution is very stable.

It has handled all the expansion we have required from it.

Technical support is highly competent.

It was already implemented when I joined the organization. However, we have expanded greatly.

We are about to enter discussions for renewal. I have heard there may be some changes to pricing. I will reserve judgment until the discussions are complete.

I would recommend it. It covers all our custom-developed applications and will expand as new applications and services are added.

We have 50-plus users of Veracode. Their roles include InfoSec, developers, development managers, QA, and configuration management. In terms of deployment and maintenance, we have four people in configuration management and InfoSec.

We used Barracuda for scanning containers. And in all in DevOps workflow.

The coverage of backdoors attacks on security that's the most valuable for my clients.

There is room for improvement in documentation. Maybe the documentation about how to configure something. It is difficult to get the expected result. 

I have been using this solution for two years. 

It's stable. It works very well in the parameter like an enterprise solution. We don't have any problems with that.

We are very pleased with the support.

Positive

I would rate my experience with the initial setup a six out of ten, where one is difficult and ten is easy to set up. 

We work on the deployment process. The solution is deployed both on-prem and in the cloud environment.

The solution doesn't require any maintenance. 

It took two years to see ROI for our clients.

Veracode is expensive. But the solution is worth it. 

Overall, I would rate the solution a nine out of ten. It is a good solution for security. In my personal opinion, there are not many products like Veracode in the market. 

Our development team use this solution for static code analysis and pen testing.

The runtime code analysis could be improved so that we can see every element in one place.

I have used this solution for two years. 

I would rate this solution an eight out of ten. 

We test each major release of our software using Veracode static and dynamic testing. We also do manual penetration testing annually.

Ensures our code and system are 100% compliant. In terms of APPSec best practices and guidance to our team, the Knowledgebase available on the Veracode system is a great resource for our developers.

For our customers, the added security assurance is a requirement.

• Ad-hoc scanning during the development cycle
• Reports for audits

In terms of integrating Veracode into our existing software development lifecycle, there are regular milestones in the SDLC to perform Veracode scans.

• Entering comments for internal tracking
• Entering a priority
• Reports that show the above

No issues with stability.

No issues with scalability.

Excellent.

We did use a previous solution. It didn't satisfy our needs technically, and the customer service and its cost were not satisfactory.

Easy.

We don't do a detailed enough analysis to reflect on any cost savings relating to code fixes made since we implemented Veracode.

Negotiate some, but their prices are reasonable.

HPE Fortify.

Have them guide you through your first scan - make sure to add hours to your initial contract for that.

I am very likely to recommend Veracode to colleagues.

We test two mission-critical web applications (C# Web forms).

We used to revise code with free tools (like VCG) but they are not even in the same universe. Veracode static analysis allows us to pinpoint issues - from a simple hard-coded test password, to more serious issues - and saves us lot of time. For example, it raises a flag about a problematic third-party DLL before development invests time heavy using it.

Also, from the very relevant results and issues that were pinpointed by Veracode, I can say that our customer security was greatly enhanced by its use.

It is great to have such insight into code without having to upload the source code at all. It saves a lot of NDA paperwork. The Visual Studio plugin allows the developer to seamlessly upload the code and get results as he works, with no manual upload. The code review function is great. It allows you to find flaws in source code, but the source code never leaves your workstation, it is all client side, no NDA needed.

It can take time to find options if you don’t use the interface a lot. At some point, a bit of interface restyling may help (but not now, now that I've learned it).

No, we did not detect a single glitch or fault in a year. We once had a periodic maintenance activity on the Veracode platform during a deadline, but it was clearly announced in advance, so we just went around it and had no issues.

No, you don’t have such concerns on Veracode. The process is really "launch and forget" (and wait for results).

The team that assists us with it is just great, especially considering there is a language barrier for some of our employees. Veracode did its best to get those employees in the loop with the chance to attend the meeting, as well with the aid of written English.

VCG (Visual Code Grepper) but I am not even going to compare them. VCG is as good as they come, but Veracode is a different breed. An application went through VCG and we were pretty confident. Then, Veracode results just blew us out of our shoes.

I manage the Veracode suite for my company, and I was personally walked through the various steps. Once I was up and running, we had another two-hour session to explain to us how a proper Veracode assessment should be planned (developers, code reviewers). As a result, I believe we have not only a pretty solid code review process up and running, but this was all provided to us at no additional cost.

What we felt is that the Veracode guys want to enjoy and use their solution first. They are not pushing to get consultancy time if that can be avoided. If you need consultancy time you can have it and the prices are convenient. We did not. All the help came at no additional cost.

It is difficult to assert, but it helps a lot with maintaining compliance with our main customers, and helps us to pinpoint some specific issues. The cost of not having Veracode would be pretty high for us.

The licensing and prices were upfront and clear. They stand behind everything that is said during the commercial phase and during the onboarding phase. Even the most irrelevant "that can be done" was delivered, no matter how important the request was.

The licensing is fair, it is time-limited (e.g. one year) but there is a size cap for every app. If your applications are big (due third-party libraries, for example) you should discuss this beforehand and explore suitable agreements.

Competitors were evaluated but seemed, at once, too bloated or not relevant to all our specific requests. We were not interested in buying a product (such as a standalone program) rather we were interested in getting a tool for creating a process, and Veracode is that.

In terms of integrating Veracode into our existing software development lifecycle, as our two existing applications are quite mature, and not changed often, we have not taken steps to have Jenkins or another CI tool that would allow us to get the full power from the Veracode environment. We look forward doing it, starting with the next app that gets developed from scratch.

CA Veracode provided AppSec best practices and guidance to our security and development team during the kickoff phase. They offered assistance on specific code issues that were hard to fix, and guidance on preparing a credible set of rules for Veracode policy, all this at no additional cost.

As Veracode licensing is generally time-related, I suggest you start the subscription once everything is ready for consumption, assign a specific person to it and declaring it mandatory at the policy level. Losing two months of great value because the devs are too busy, or because they think they don’t need it, or they fear the results, or because no one is taking charge of the Veracode process, is really a pity. Once the clock starts ticking, try to take advantage as much as you can.

I would recommend Veracode to anyone involved in high-risk environments.

We use the Static Analysis, Dynamic Analysis, and SCA, the software composition analysis.

The Static Analysis has identified flaws.

From a developer point of view, it has really helped me to know about many security best practices that I need to follow.

There are also security specialists, although it's not my area, who work on strategy to mitigate flaws. It classifies things into three levels: high, medium, and low, the latter being the ones that you can live with. It tells you which are very critical and you need to fix. That helps management to determine the strategy of what to fix next.

When you reach a level of security in your application and you get verification from Veracode that your app is secure, that helps in selling products. Mitigating flaws and being sure that your product is secure is going to give you higher credibility with clients and better performance.

In our use case, some of our products have dependencies in separate apps. Before going into production, each dependency has its own sandbox to help us identify the vulnerabilities in that certain dependency. Then there is the software composition analysis, the SCA, that helps us scan all the vulnerabilities when those modules are integrated with each other. Before deploying the whole app into production, we fix the flaws and increase the score. We have a whole company policy that some high-level security experts put in place. Before we move on to the next level of scanning we need to get to a certain score. That has really helped us. Each time, they make the analysis a little harder, to dive deeper into the code and go through different scenarios to find more flaws. That has really helped us have the minimum required number of issues and security flaws, when we go into production.

The most valuable features are the application analyses: 

• Static Analysis
• Dynamic Analysis
• SCA, the software composition analysis, to scan all the models together. 

These are the three features we've mostly been using.

It is easy to use for us developers. It supports so many languages: C#, .NET Core, .NET Framework, and it even scans some of our JavaScript. You just need the extension to upload the files and the reports are generated with so much detail. 

You can detect which line is causing the issue and it gives you some insights about, for example, if you have a dependency problem in your inputs or some known vulnerabilities. It even gives you an article so that you can read about it and know how to mitigate it in some cases. Sometimes there are well-known flaws in third-parties and you should upgrade to another version to resolve your issues. Veracode guides you.

I haven't tried any other platforms, but from what I have seen, it is really fast. You just upload the files, which is easy to do, and you can follow the scanning progress on the platform. Once it's done you get an email and you just access the platform. I don't know what other tools are like, but for me, Veracode is user-friendly.

I would like to see them provide more content in the developer training section. This field is really changing each day and there are flaws that are detected each day. Some sort of regular updates to the learning would help. 

I would also like to see more integration with other frameworks. There were some .NET Core versions that weren't supported back when we started, but now they're providing more support for it.

I've used Veracode since October, 2018.

The solution we are using is stable. So far, it seems to be really practical.

In our company, other products are using it, not just our product. So it's surely being used by other developers. There is also management between the applications. Each team has its own hierarchy in the company and the organizational levels are handled well in the solution. We have an upper manager and the administrator of the app. And each product has its own dashboards and its own access rights, so I cannot see the results of other people.

There was a time when we needed support from them. We organized a call because the license the company had included the possibility to have a support call with one of the Veracode guys, when we first started using it. They were very helpful, showing us how to use it. They provided support on how to integrate the extension. We had a one hour call with them and they were really helpful.

They also asked for some feedback. It feels really good to have that community working together. We feel engaged with the whole Veracode community.

I've participated in some of the online courses, which helped. There are some levels that the team should have. You follow some courses, you get to level one, and then you move on to the next level. Each level of certification was really useful to learn about some of the flaws and some of the vulnerabilities that we could face. They give you some great use cases and how to remedy things in C# and many different languages. The online course also shows you how a developer can make some mistakes in his code, and how those mistakes can be used to bypass app security. By knowing that, you can avoid doing it in the future.

There were also some events organized recently—security labs—and they were also useful. There were tasks and I even had to work on them outside of work, but they were really helpful and a challenge.

The training also helped us to identify the existing vulnerabilities in our code and some of the third-parties that we are using that have vulnerabilities in them. We know we need to upgrade them.

My advice is that you should follow the training, initially. It was really helpful, even at the first level. Then, go on and read all the detailed documentation online. There are even some video tutorials which are really helpful. These are the steps that I followed.

There is a section on the supported frameworks. Veracode supports a wide variety of languages, but it would be good to check that before diving into the analysis and why it's not detecting your code.

I have been really satisfied with the areas of Veracode that I have had a chance to work with.

We are using this solution for static analysis.

The main feature that I have found valuable is the solution's ability to find issues in static analysis. Additionally, there are plenty of useful tools.

The solution could improve the Dynamic Analysis Security Testing(DAST).

There could be better support for different languages. It is very difficult in some languages to prepare the solution for the static analysis and this procedure is really hard for a pipeline, such as GitHub. They should make it easy to scan projects for any language like they do in other vendors, such as Checkmarx.

We have found there are a lot of false positives and the severity rating we have been receiving has been different compared to other vendor's solutions. For example, in Veracode, we receive a rating of low but in others solutions, we receive a rating of high when doing the glitch analysis.

We have been using this solution for approximately six years.

We have not had much free expert support from the vendor. We have had to have a team of highly skilled individuals to make the solution work.

The initial setup is difficult. For example, in Android, if I need to scan an ordinary APK Android application, we need to generate the APK and when you are working in GitHub, you need to do a lot of work to make these combinations able to be scanned by Veracode.

We did the implementation ourselves.

I have previously evaluated Checkmarx.

The solution is good at finding issues and provide some very useful tools. I would advise those wanting to implement this solution to purchase professional support from the vendor. If you do not, you run the risk of having many problems such as the ones we have faced.

The DAST tool is very useful and is used in preproduction.  

I rate Veracode a six out of ten.