Veracode Reviews

Certifying the application security of my SAS-based application code base.

It allows us to prove our security levels to vendors, and additionally helps us with our HIPAA security policies. Also, CA Veracode has provided AppSec best practices and guidance to our teams. Finally, it makes the IT Governance process of the sales cycle easier.

Static and dynamic scans of the code. It is part of our release cycle.

Mitigation review isn't always super easy.

No issues with stability.

No issues with scalability.

It is excellent.

Straightforward to set up, but the configuration of the rules engine is difficult and complicated.

It helps us get over the line for security when contracting with customers, and any help reducing security vulnerabilities is a big help to us.

Pricing/licensing is complicated.

Do your research, make sure you implement the tools you need.

I am very likely to recommend Veracode to a colleague.

Allows developers to run their own scans.

Reduced dependency on the security team to run scans. It helped the organizations to scan a large number of applications on a regular basis.

I would like to see the following:

• Correction of the regularly received false positives
• Options to manage comments and mitigations
• Better UI functionality

We have used this solution for a year.

A few months ago, there were issues with the scanners and tickets were opened. However, they were resolved. This is a stable product.

There have not been any scalability issues yet.

I would give technical support a rating of 8/10. At times, we have not seen the best support in terms of issues faced during a scan.

Security scanning.

It has caught lots of flaws that could have been exploited, like SQL injection flaws. It has also improved developer engagement with information security.

In terms of application security best practices and guidance to our teams, their engineering staff is really excellent. They provide our developers with suggestions and they take those to heart. They've learned from the recommended remediation strategies provided by the Veracode security engineers. That makes all of their future code better.

As for our customers, it lowers the risk for people visiting our site.

Catching coding flaws before they go live.

Regarding integrating Veracode into our software development lifecycle, we started out with it being used only as a web interface, and now developers are starting to use it right in their IDE on the desktop.

It's a pretty dynamic product. It's changing all the time and improving.

The scanning is a little slow, but other than that it's fine. It's usually when the binaries get up into the multi-hundred-megabyte size.

We haven't encountered any scalability issues with Veracode so far.

They're awesome. Their timeliness is acceptable, but their expertise is phenomenal.

Veracode is the first professional solution I've used. It was in place when I got to the company.

We just use it as a cloud service for third-party developers.

In terms of cost savings relating to code fixes since implementing Veracode in our development process, I can't really give hard numbers.

I'm not the pricing guy.

Licensing is pretty flexible. It's a little bit weird, it's by the size of the binary, which is a strange way to license a product. So far they've been pretty flexible about it.

I recommend it all the time.

It's an important aspect of a complete security program. Not necessarily this product, but source code, fraud detection.

I'd give it an eight out of 10 because it's pretty straightforward, but you still have to mostly wrap it with organizational policies that encourages its use. It's not a product - and I don't think it's really a product category - that sells itself to the end-user. They see benefits, but they do have to be convinced to use it.

The SAST feature is the most valuable aspect of the solution.

The stability has been quite good overall. The performance is reliable. 

The scalability on offer is good. I don't see any constraints.

From a usability standpoint and the way it can be integrated into the pipelines, etc., it's very good.

It's comprehensive from a feature standpoint. 

The reports on offer are too verbose. They might want to consider t restructuring their reports to better give a very good summary or overview in the first five or so pages and then go ahead and drill into the details of each and every vulnerability beyond that.

The documentation could be improved. They could, for example, provide more details in terms of how to fix issues related to sign-ups. There isn't enough detailed information out there to assist users.

I joined this company very recently. Therefore, I've only used the solution for a few months. However, this company has used Veracode for at least the last two to three years. They've had it for a while.

The stability overall is quite reliable. There are no bugs or glitches. It doesn't crash or freeze. Its performance is very good.

The solution can scale well. If a company is considering expanding, it should be able to do so without issue.

We do have a limited amount of users on the solution right now.

I've never had a need, up to this point, to reach out to technical support. I haven't really come across any technical issues during my short tenure with the product. Therefore, I can't speak to how helpful or responsive they are. I don't have any insights I could share. 

We have a few team members that specialize in the solution.

Our team handles the maintenance of the solution.

I don't have enough information to be able to comment on the cost of licensing the product. That's more of a sales question. I don't handle any aspect of that part of the solution.

We are customers and end-users. We don't really have a business relationship with Veracode.

I'm more from the performance testing side of things. I've just added the security testing to my list of responsibilities recently.

We're using a mix of deployment models. We use both on-premises and cloud deployments. 

It's a good tool. I've done some comparisons with both SAST and DAST. It gives us this end-to-end sort of feature that we appreciate. Therefore, rather than you doing SAST with one tool and DAST with another tool, I prefer going with Veracode, which offers both. 

You can learn both static and dynamic scans with a single tool. You could effectively negotiate a price and do that. If you got some simple apps, from a CAC standpoint, I'd recommend folks to use Veracode.

I'd rate the solution at a seven out of ten. 

SAST. We have not yet integrated it into our software development lifecycle as it doesn't have the feature that enables us to integrate it with our repository.

It helps in achieving secure programming. Veracode provides us with industry best practices according to OWASP, CERT, and SANS. Our customers get the security of bug-free code and assurance regarding the application.

Scanning of .war and .jar.

Raw file scans and dynamic scans would be an improvement, instead of dealing with code binaries.

No stability issues yet.

No scalability issues yet.

We used SonarQube but to improve security in SAST we choose this.

Setup is straightforward.

The pricing is good for static code analysis.

Checkmarx, SonarQube.

Implement this solution if you see WAF and SOC in your future.

Our primary use case for this solution is application security.

The most valuable feature comes from the fact that it is cloud-based, and I can scale up without having to worry about any other infrastructure needs.

This solution does a good job, but it is limited to only a few technologies. I would like to see expanded coverage for supporting more platforms, frameworks, and languages.

Specifically, I would like to see support for mobile frameworks like Xaramin and React JS, as well as extended support for iOS applications.

This solution is quite scalable.

We have approximately fifty users, but we definitely have plans to add more.

I have used their technical support and they are quite good.

We did not use another solution prior to this one.

The initial setup of this solution is straightforward.

This solution is on the pricey side. They have just streamlined the licensing and they have a number of flexible options available, so overall it is quite good, albeit pricey.

We evaluated other options, but we chose Veracode.

My advice for anybody who is interested in implementing this solution is to ensure that your technology is actually supported because the coverage is quite patchy. It is possible that if you use a framework or a language that Veracode does not support then it will give quite poor results.

I would rate this solution a six out of ten.

I am a consultant and SourceClear is one of the solutions that I use to provide services.

This solution is used by people who want to verify the security of their own applications.

The most valuable feature is the efficiency of the tool in finding vulnerabilities.

A high number of false positives are reported and this should be reduced.

I have been using SourceClear for about a year and a half.

This is a stable solution.

We have no complaints about scalability. We have between 200 and 300 clients.

We have not been in touch with Veracode's technical support.

We have also used Checkmarx, where you can train the tool for false positives and ultimately reduce them.

The initial setup is a little bit complex.

It would be better to have some assistance when implementing this solution.

Overall, SourceClear is working fine for us and our main complaint is in regard to the high number of false positives. Nonetheless, I would recommend Checkmarx over SourceClear.

I would rate this solution a six out of ten.

Dynamic and static scanning.

We're being much more security conscious whenever we're writing code, and we're trying to make sure it's giving us a benchmark, and to make sure we meet that, on a release cycle.

In terms of AppSec best practices, it has made everybody more conscious about what they're trying to accomplish, because they know at the end of the release cycle we're going to be running scans. They basically need to make sure they adhere to all the rules.

Our customers have benefited from the added application security we offer because they're more confident that our software isn't going to expose their organizations to any risk.

The ability to run scans. It's a critical piece of why we use the platform. We use it to get our scan results and see where our software is vulnerable or not vulnerable.

It's part of our SDLC now.

The user interface can sometimes be a little challenging to work with, and they seem to be changing their algorithm on what is an issue. I understand why they do it, but sometimes it causes more work on our end.

No issues with stability.

Not that I know of.

I have not contacted tech support.

It seemed straightforward. I didn't actually do the work, but from what I was told, it seemed like it was fairly easy to get going.

I cannot give numbers on any cost savings related to code fixes since implementing CA Veracode in our development process.

It's worth the value.

We did evaluate other options, but I can't remember who we looked at.

I would be highly likely to recommend working with CA Veracode to colleagues. 

I rate it an eight out of 10. It's a good product - I can't say that it's lighting my world on fire - but it does what it needs to do.

Just be prepared that it's going to take effort from all aspects of the business to be able to utilize and achieve the goal that you're looking to achieve with the product.