Veracode Reviews

Provides static code analysis of the customers' applications from all industries. It includes any type of code and scripts, but mostly Java, .Net, C++, and C# environments.

The solution is a specialist in SAST that you can rely on. Code scanning is fast with current, updated algorithms.

Provides consistent evaluation and results without huge fluctuations in false positives or negatives. 

It should include more informational, low level, vulnerability summaries and groupings. Large related groups of low level vulnerabilities may amount to a design flaw or another avenue for attack.

Static code scan.

We have used the results of scans to train our people and make them more sensitive to security issues during development, although we haven't done any specific integration of Veracode into our software development cycle. Engineers are better trained, so we hope to see increased compliance with our security guidelines.

We do incorporate the suggested course of action from the Veracode report (AppSec best practices and guidance) in our best practices.

Also, our customers benefit from the fact that the application is more secure.

We use the results of the scan to identify vulnerabilities in the product.

Calypso (our application) is large and the results take up to two months. Further, we also have to package Calypso in a special manner to meet size guidelines.

No issues with stability.

Because our application is large, it takes a long time to upload and scan.

Based on limited usage, we are satisfied.

We did not have a previous solution. We picked this product because our partner (SAP) uses it.

Straightforward.

There are no directly measurable cost savings. We see security improvement as a key part of our product development.

When asked, we let our customers and partners know that we use Veracode and that we are happy with it.

We use Veracode to ensure that the software we are building is secure.

The most valuable feature is the dynamic application security testing.

It takes a while to get a response to the software composition analysis. It is within an acceptable range but it could still be improved.

In the future, I would like to see the RASP capability built-in.

We have been using Veracode SCA for three months.

SCA is pretty stable.

Scalability doesn't really apply to a software composition analysis tool.

The technical support is pretty good. When I requested help they contacted me within an hour. I don't have any issues with them.

The initial setup is pretty straightforward.

In summary, I think that this is a good tool and I recommend it for helping with security in software development.

I would rate this solution an eight out of ten.

Static application security testing, which is the primary use case. 

There were different web applications which were scanned using this tool.

Veracode scans provide a higher number of false positives. Also, the overall reporting structure is complicated, and it's difficult to understand the report.

Veracode provides faster scans compared to other static analysis security testing tools.

Veracode should provide support to more software languages, like ABAP.

We use it for a lot of things and they're all primary: SAST, DAST, and Greenlight.

By using this product, we can point out not only any potentially insecure coding, but how to fix it. It's a requirement, a legal requirement. So we benefit by not breaking regulatory law.

SAST, DAST, and Greenlight are the most important features because today it's important for our regulatory compliance law to keep our product coding relatively secure.

For our rapid, secure DevOps cycle, we have integration of the Vericode API into our build tool, and Greenlight into our IDE.

I think they are doing pretty well. It would help if there were a training module that would explain how to more effectively integrate the SAST product into the build tool, Jenkins or Bamboo. I think that's a real good idea.

No issues with stability.

No issues with scalability, other than making sure that our people know how to use it.

Excellent.

Never. I've been using it for 20 years. I tried others, like HPE's and IBM's, when I was with Visa, but this is the best.

I think it's simple, but sometimes it would help to have more training for developers to help them set it up.

I can't give you exact numbers, but it's a lot cheaper to do it sooner rather than later.

Pricing is worth the value. 

They didn't have products before this one. This one pre-dated them.

I recommend CA Veracode all the time. I am a public speaker, frequently on the speaker circuit, and I recommend it all the time. There are really three solutions at the top of the industry ratings, and Veracode is the best, in my opinion.

We are a good customer and we had been for a long time. I actually am a bit of an evangelist for them when I'm doing public speaking.

We used the application for the web. Static, dynamic, and manual scan features were all very useful for us. All of them helped us fix many security flaws.

It made us change our approach to coding. We tried to make sure our application stayed secure and safe.

The current features were enough for us. Although reports are well documented, it was difficult for us to understand them at first.

We have been using the solution for about a year.

We did not encounter any issues with stability.

We did not encounter any issues with scalability.

We didn't use the technical support, so I can't comment on this question.

We did not use a previous solution. This was the first security application we used.

It was very easy to setup. Everything on the website was clearly explained.

I don't know about the prices.

We did not evaluate any alternative solutions.

If it's the first time you are using a security application, be ready for some new tools which you will require you to revitalize the flaws reported.

Reports are very well documented. Once you understand what it means and you get used to it, you will see that it is detailed and clearly explained.

There needs to be better API integration to the development team's pipeline, which is something that is missing and needs to be improved.

We have been using the solution for approximately three months.

The installation was straightforward.

I rate Veracode Manual Penetration Testing a nine out of ten.

This was intended to scan all of our custom development efforts to ensure a certain level of (secure) code quality. Right now the scope of that effort is limited to web exposed systems but with maturity, we hope to increase that scope.

The Veracode platform probably hasn't improved our organization overall, although through no fault of theirs. Veracode is just one more tool that generates work for our developers.

The source composition analysis component is great because it gives our developers some comfort in using new libraries.

I think for us the biggest improvement would be to have an indicator when there's something wrong with a scan. For instance, we have CI scans that run automatically, and sometimes the files don't get upload and/or processed by Veracode. Now, there's a static scan that hasn't been completed, which blocks all future scans. The only way we know this is an issue is going into the Web UI, check each application, and look for stalled scans. This is time-consuming and frustrating.

I have been using Veracode for three years.