Veracode Reviews

To certify that we have valid code, and that the developers are working with valid structures and writing good code.

The coding standards in our development group have improved. When we scan our code - at the end of a build cycle we'll go through and scan our code - from those scans we've learned the patterns and techniques to make our code more secure. An example would be SQL injection. We have mitigated all the SQL injection in our applications.

That is now part of our software development life cycle, to do a static scan before we release to our client base. We mitigate what we have to.

I'm not aware of any cost savings relating to code fixes since implementing Veracode in our development process.

In terms of Veracode providing application security best practices and guidance to our development teams, once we scan the software and we have to go through a mitigation process, we make sure we implement that in the base standards. Once we mitigate a problem, we implement it back into the base to make sure the developers who are still developing code are not going to have the same issues that we just mitigated.

For our customers, they know that we go through another level of application security with our application, one our competitors don't use. They know our code meets a standard and that we implement the standard and the structures. That we have mitigated gives them a little bit of peace of mind that our code is valid, and that it's not going to hurt their infrastructure. 

We just use the static scan, it's all we got into as of now. We're happy with that, it seems to work very well for us.

Going through the mitigation is probably the hardest thing to do and that's still an ongoing process. If there is a code issue to mitigate, it sometimes takes a little bit longer than what you would think. It might not be anything that they're doing. It's just their engine is changing and our code is changing so we have two things moving. We get a good score one time, scan it again on a new release and the score drops because the engine is picking up more things. I don't know if they could do anything about that. It's just one of those things you might just have to live with.

No issues with stability.

No issues with scalability, we're good there.

They're very good. Anything that we've brought up to them, they've responded to us very quickly.

We used the built-in solution inside of Microsoft Visual Studio, and we switched because Veracode had more cohesive scanning abilities and found a lot more issues with our code, when we first scanned it.

It was pretty straightforward.

We get good value out of what we have right now.

We had a couple of products that we looked at, but went with Veracode.

I am highly likely to recommend Veracode to colleagues.

Make sure, once you scan and find issues with your code, that the developers know how to remediate those issues so they don't go through them again.

It's going to take some time to get through your first set of scans and mitigations. To fix your code is not straightforward. But once you do that and implement it back through your whole development cycle, they identify the issues and it's very easy to fix them, once you know and have gone through it once.

We use it for a lot of things and they're all primary: SAST, DAST, and Greenlight.

By using this product, we can point out not only any potentially insecure coding, but how to fix it. It's a requirement, a legal requirement. So we benefit by not breaking regulatory law.

SAST, DAST, and Greenlight are the most important features because today it's important for our regulatory compliance law to keep our product coding relatively secure.

For our rapid, secure DevOps cycle, we have integration of the Vericode API into our build tool, and Greenlight into our IDE.

I think they are doing pretty well. It would help if there were a training module that would explain how to more effectively integrate the SAST product into the build tool, Jenkins or Bamboo. I think that's a real good idea.

No issues with stability.

No issues with scalability, other than making sure that our people know how to use it.

Excellent.

Never. I've been using it for 20 years. I tried others, like HPE's and IBM's, when I was with Visa, but this is the best.

I think it's simple, but sometimes it would help to have more training for developers to help them set it up.

I can't give you exact numbers, but it's a lot cheaper to do it sooner rather than later.

Pricing is worth the value. 

They didn't have products before this one. This one pre-dated them.

I recommend CA Veracode all the time. I am a public speaker, frequently on the speaker circuit, and I recommend it all the time. There are really three solutions at the top of the industry ratings, and Veracode is the best, in my opinion.

We are a good customer and we had been for a long time. I actually am a bit of an evangelist for them when I'm doing public speaking.

There needs to be better API integration to the development team's pipeline, which is something that is missing and needs to be improved.

We have been using the solution for approximately three months.

The installation was straightforward.

I rate Veracode Manual Penetration Testing a nine out of ten.

Security scanning.

It has caught lots of flaws that could have been exploited, like SQL injection flaws. It has also improved developer engagement with information security.

In terms of application security best practices and guidance to our teams, their engineering staff is really excellent. They provide our developers with suggestions and they take those to heart. They've learned from the recommended remediation strategies provided by the Veracode security engineers. That makes all of their future code better.

As for our customers, it lowers the risk for people visiting our site.

Catching coding flaws before they go live.

Regarding integrating Veracode into our software development lifecycle, we started out with it being used only as a web interface, and now developers are starting to use it right in their IDE on the desktop.

It's a pretty dynamic product. It's changing all the time and improving.

The scanning is a little slow, but other than that it's fine. It's usually when the binaries get up into the multi-hundred-megabyte size.

We haven't encountered any scalability issues with Veracode so far.

They're awesome. Their timeliness is acceptable, but their expertise is phenomenal.

Veracode is the first professional solution I've used. It was in place when I got to the company.

We just use it as a cloud service for third-party developers.

In terms of cost savings relating to code fixes since implementing Veracode in our development process, I can't really give hard numbers.

I'm not the pricing guy.

Licensing is pretty flexible. It's a little bit weird, it's by the size of the binary, which is a strange way to license a product. So far they've been pretty flexible about it.

I recommend it all the time.

It's an important aspect of a complete security program. Not necessarily this product, but source code, fraud detection.

I'd give it an eight out of 10 because it's pretty straightforward, but you still have to mostly wrap it with organizational policies that encourages its use. It's not a product - and I don't think it's really a product category - that sells itself to the end-user. They see benefits, but they do have to be convinced to use it.

Static code scan.

We have used the results of scans to train our people and make them more sensitive to security issues during development, although we haven't done any specific integration of Veracode into our software development cycle. Engineers are better trained, so we hope to see increased compliance with our security guidelines.

We do incorporate the suggested course of action from the Veracode report (AppSec best practices and guidance) in our best practices.

Also, our customers benefit from the fact that the application is more secure.

We use the results of the scan to identify vulnerabilities in the product.

Calypso (our application) is large and the results take up to two months. Further, we also have to package Calypso in a special manner to meet size guidelines.

No issues with stability.

Because our application is large, it takes a long time to upload and scan.

Based on limited usage, we are satisfied.

We did not have a previous solution. We picked this product because our partner (SAP) uses it.

Straightforward.

There are no directly measurable cost savings. We see security improvement as a key part of our product development.

When asked, we let our customers and partners know that we use Veracode and that we are happy with it.

Allows developers to run their own scans.

Reduced dependency on the security team to run scans. It helped the organizations to scan a large number of applications on a regular basis.

I would like to see the following:

• Correction of the regularly received false positives
• Options to manage comments and mitigations
• Better UI functionality

We have used this solution for a year.

A few months ago, there were issues with the scanners and tickets were opened. However, they were resolved. This is a stable product.

There have not been any scalability issues yet.

I would give technical support a rating of 8/10. At times, we have not seen the best support in terms of issues faced during a scan.

This was intended to scan all of our custom development efforts to ensure a certain level of (secure) code quality. Right now the scope of that effort is limited to web exposed systems but with maturity, we hope to increase that scope.

The Veracode platform probably hasn't improved our organization overall, although through no fault of theirs. Veracode is just one more tool that generates work for our developers.

The source composition analysis component is great because it gives our developers some comfort in using new libraries.

I think for us the biggest improvement would be to have an indicator when there's something wrong with a scan. For instance, we have CI scans that run automatically, and sometimes the files don't get upload and/or processed by Veracode. Now, there's a static scan that hasn't been completed, which blocks all future scans. The only way we know this is an issue is going into the Web UI, check each application, and look for stalled scans. This is time-consuming and frustrating.

I have been using Veracode for three years.

We used the application for the web. Static, dynamic, and manual scan features were all very useful for us. All of them helped us fix many security flaws.

It made us change our approach to coding. We tried to make sure our application stayed secure and safe.

The current features were enough for us. Although reports are well documented, it was difficult for us to understand them at first.

We have been using the solution for about a year.

We did not encounter any issues with stability.

We did not encounter any issues with scalability.

We didn't use the technical support, so I can't comment on this question.

We did not use a previous solution. This was the first security application we used.

It was very easy to setup. Everything on the website was clearly explained.

I don't know about the prices.

We did not evaluate any alternative solutions.

If it's the first time you are using a security application, be ready for some new tools which you will require you to revitalize the flaws reported.

Reports are very well documented. Once you understand what it means and you get used to it, you will see that it is detailed and clearly explained.