Allows developers to run their own scans.
Security Consultant at a tech company with 501-1,000 employees
Allows developers to run their own scans. I would like to see the false positives corrected.
What is most valuable?
How has it helped my organization?
Reduced dependency on the security team to run scans. It helped the organizations to scan a large number of applications on a regular basis.
What needs improvement?
I would like to see the following:
- Correction of the regularly received false positives
- Options to manage comments and mitigations
- Better UI functionality
For how long have I used the solution?
We have used this solution for a year.
Buyer's Guide
Veracode
November 2024
Learn what your peers think about Veracode. Get advice and tips from experienced pros sharing their opinions. Updated: November 2024.
824,053 professionals have used our research since 2012.
What do I think about the stability of the solution?
A few months ago, there were issues with the scanners and tickets were opened. However, they were resolved. This is a stable product.
What do I think about the scalability of the solution?
There have not been any scalability issues yet.
How are customer service and support?
I would give technical support a rating of 8/10. At times, we have not seen the best support in terms of issues faced during a scan.
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Information Security Lead Analyst at a consumer goods company with 10,001+ employees
We have learned from the recommended remediation strategies, making future code better
Pros and Cons
- "It has caught lots of flaws that could have been exploited, like SQL injection flaws. It has also improved developer engagement with information security."
- "In terms of application security best practices and guidance to our teams, their engineering staff is really excellent. They provide our developers with suggestions and they take those to heart. They've learned from the recommended remediation strategies provided by the Veracode security engineers. That makes all of their future code better."
- "The scanning is a little slow, but other than that it's fine. It's usually when the binaries get up into the multi-hundred megabyte size."
What is our primary use case?
Security scanning.
How has it helped my organization?
It has caught lots of flaws that could have been exploited, like SQL injection flaws. It has also improved developer engagement with information security.
In terms of application security best practices and guidance to our teams, their engineering staff is really excellent. They provide our developers with suggestions and they take those to heart. They've learned from the recommended remediation strategies provided by the Veracode security engineers. That makes all of their future code better.
As for our customers, it lowers the risk for people visiting our site.
What is most valuable?
Catching coding flaws before they go live.
Regarding integrating Veracode into our software development lifecycle, we started out with it being used only as a web interface, and now developers are starting to use it right in their IDE on the desktop.
What needs improvement?
It's a pretty dynamic product. It's changing all the time and improving.
For how long have I used the solution?
Three to five years.
What do I think about the stability of the solution?
The scanning is a little slow, but other than that it's fine. It's usually when the binaries get up into the multi-hundred-megabyte size.
What do I think about the scalability of the solution?
We haven't encountered any scalability issues with Veracode so far.
How are customer service and technical support?
They're awesome. Their timeliness is acceptable, but their expertise is phenomenal.
Which solution did I use previously and why did I switch?
Veracode is the first professional solution I've used. It was in place when I got to the company.
How was the initial setup?
We just use it as a cloud service for third-party developers.
What was our ROI?
In terms of cost savings relating to code fixes since implementing Veracode in our development process, I can't really give hard numbers.
What's my experience with pricing, setup cost, and licensing?
I'm not the pricing guy.
Licensing is pretty flexible. It's a little bit weird, it's by the size of the binary, which is a strange way to license a product. So far they've been pretty flexible about it.
What other advice do I have?
I recommend it all the time.
It's an important aspect of a complete security program. Not necessarily this product, but source code, fraud detection.
I'd give it an eight out of 10 because it's pretty straightforward, but you still have to mostly wrap it with organizational policies that encourages its use. It's not a product - and I don't think it's really a product category - that sells itself to the end-user. They see benefits, but they do have to be convinced to use it.
Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
Buyer's Guide
Veracode
November 2024
Learn what your peers think about Veracode. Get advice and tips from experienced pros sharing their opinions. Updated: November 2024.
824,053 professionals have used our research since 2012.
Senior Project Manager at a computer software company with 501-1,000 employees
Comprehensive features and good integrations but needs better documentation
Pros and Cons
- "It's comprehensive from a feature standpoint."
- "The reports on offer are too verbose."
What is most valuable?
The SAST feature is the most valuable aspect of the solution.
The stability has been quite good overall. The performance is reliable.
The scalability on offer is good. I don't see any constraints.
From a usability standpoint and the way it can be integrated into the pipelines, etc., it's very good.
It's comprehensive from a feature standpoint.
What needs improvement?
The reports on offer are too verbose. They might want to consider t restructuring their reports to better give a very good summary or overview in the first five or so pages and then go ahead and drill into the details of each and every vulnerability beyond that.
The documentation could be improved. They could, for example, provide more details in terms of how to fix issues related to sign-ups. There isn't enough detailed information out there to assist users.
For how long have I used the solution?
I joined this company very recently. Therefore, I've only used the solution for a few months. However, this company has used Veracode for at least the last two to three years. They've had it for a while.
What do I think about the stability of the solution?
The stability overall is quite reliable. There are no bugs or glitches. It doesn't crash or freeze. Its performance is very good.
What do I think about the scalability of the solution?
The solution can scale well. If a company is considering expanding, it should be able to do so without issue.
We do have a limited amount of users on the solution right now.
How are customer service and technical support?
I've never had a need, up to this point, to reach out to technical support. I haven't really come across any technical issues during my short tenure with the product. Therefore, I can't speak to how helpful or responsive they are. I don't have any insights I could share.
How was the initial setup?
We have a few team members that specialize in the solution.
Our team handles the maintenance of the solution.
What's my experience with pricing, setup cost, and licensing?
I don't have enough information to be able to comment on the cost of licensing the product. That's more of a sales question. I don't handle any aspect of that part of the solution.
What other advice do I have?
We are customers and end-users. We don't really have a business relationship with Veracode.
I'm more from the performance testing side of things. I've just added the security testing to my list of responsibilities recently.
We're using a mix of deployment models. We use both on-premises and cloud deployments.
It's a good tool. I've done some comparisons with both SAST and DAST. It gives us this end-to-end sort of feature that we appreciate. Therefore, rather than you doing SAST with one tool and DAST with another tool, I prefer going with Veracode, which offers both.
You can learn both static and dynamic scans with a single tool. You could effectively negotiate a price and do that. If you got some simple apps, from a CAC standpoint, I'd recommend folks to use Veracode.
I'd rate the solution at a seven out of ten.
Which deployment model are you using for this solution?
On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Lead Security Engineer at a tech vendor with 201-500 employees
Our customers get the security of bug-free code, but raw file scans would help
Pros and Cons
- "Scanning of .war and .jar is key for us."
- "Raw file scans and dynamic scans would be an improvement, instead of dealing with code binaries."
What is our primary use case?
SAST. We have not yet integrated it into our software development lifecycle as it doesn't have the feature that enables us to integrate it with our repository.
How has it helped my organization?
It helps in achieving secure programming. Veracode provides us with industry best practices according to OWASP, CERT, and SANS. Our customers get the security of bug-free code and assurance regarding the application.
What is most valuable?
Scanning of .war and .jar.
What needs improvement?
Raw file scans and dynamic scans would be an improvement, instead of dealing with code binaries.
For how long have I used the solution?
Trial/evaluations only.
What do I think about the stability of the solution?
No stability issues yet.
What do I think about the scalability of the solution?
No scalability issues yet.
Which solution did I use previously and why did I switch?
We used SonarQube but to improve security in SAST we choose this.
How was the initial setup?
Setup is straightforward.
What's my experience with pricing, setup cost, and licensing?
The pricing is good for static code analysis.
Which other solutions did I evaluate?
Checkmarx, SonarQube.
What other advice do I have?
Implement this solution if you see WAF and SOC in your future.
Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
Managing Principal Consultant at a tech vendor with 11-50 employees
Easy to scale and does a good job, but only for a limited number of technologies
Pros and Cons
- "The most valuable feature comes from the fact that it is cloud-based, and I can scale up without having to worry about any other infrastructure needs."
- "I would like to see expanded coverage for supporting more platforms, frameworks, and languages."
What is our primary use case?
Our primary use case for this solution is application security.
What is most valuable?
The most valuable feature comes from the fact that it is cloud-based, and I can scale up without having to worry about any other infrastructure needs.
What needs improvement?
This solution does a good job, but it is limited to only a few technologies. I would like to see expanded coverage for supporting more platforms, frameworks, and languages.
Specifically, I would like to see support for mobile frameworks like Xaramin and React JS, as well as extended support for iOS applications.
For how long have I used the solution?
Five years.
What do I think about the scalability of the solution?
This solution is quite scalable.
We have approximately fifty users, but we definitely have plans to add more.
How are customer service and technical support?
I have used their technical support and they are quite good.
Which solution did I use previously and why did I switch?
We did not use another solution prior to this one.
How was the initial setup?
The initial setup of this solution is straightforward.
What's my experience with pricing, setup cost, and licensing?
This solution is on the pricey side. They have just streamlined the licensing and they have a number of flexible options available, so overall it is quite good, albeit pricey.
Which other solutions did I evaluate?
We evaluated other options, but we chose Veracode.
What other advice do I have?
My advice for anybody who is interested in implementing this solution is to ensure that your technology is actually supported because the coverage is quite patchy. It is possible that if you use a framework or a language that Veracode does not support then it will give quite poor results.
I would rate this solution a six out of ten.
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Associate Consultant at a comms service provider with 201-500 employees
Efficient at finding vulnerabilities but the number of false positives should be reduced
Pros and Cons
- "The most valuable feature is the efficiency of the tool in finding vulnerabilities."
- "A high number of false positives are reported and this should be reduced."
What is our primary use case?
I am a consultant and SourceClear is one of the solutions that I use to provide services.
This solution is used by people who want to verify the security of their own applications.
What is most valuable?
The most valuable feature is the efficiency of the tool in finding vulnerabilities.
What needs improvement?
A high number of false positives are reported and this should be reduced.
For how long have I used the solution?
I have been using SourceClear for about a year and a half.
What do I think about the stability of the solution?
This is a stable solution.
What do I think about the scalability of the solution?
We have no complaints about scalability. We have between 200 and 300 clients.
How are customer service and technical support?
We have not been in touch with Veracode's technical support.
Which solution did I use previously and why did I switch?
We have also used Checkmarx, where you can train the tool for false positives and ultimately reduce them.
How was the initial setup?
The initial setup is a little bit complex.
What about the implementation team?
It would be better to have some assistance when implementing this solution.
What other advice do I have?
Overall, SourceClear is working fine for us and our main complaint is in regard to the high number of false positives. Nonetheless, I would recommend Checkmarx over SourceClear.
I would rate this solution a six out of ten.
Disclosure: I am a real user, and this review is based on my own experience and opinions.
VP of Services at a tech vendor with 51-200 employees
We're much more security conscious when writing code, to meet the benchmarks it gives us
Pros and Cons
- "We use it to get our scan results and see where our software is vulnerable or not vulnerable."
- "The user interface can sometimes be a little challenging to work with, and they seem to be changing their algorithm on what is an issue. I understand why they do it, but it sometimes causes more work on our end."
What is our primary use case?
Dynamic and static scanning.
How has it helped my organization?
We're being much more security conscious whenever we're writing code, and we're trying to make sure it's giving us a benchmark, and to make sure we meet that, on a release cycle.
In terms of AppSec best practices, it has made everybody more conscious about what they're trying to accomplish, because they know at the end of the release cycle we're going to be running scans. They basically need to make sure they adhere to all the rules.
Our customers have benefited from the added application security we offer because they're more confident that our software isn't going to expose their organizations to any risk.
What is most valuable?
The ability to run scans. It's a critical piece of why we use the platform. We use it to get our scan results and see where our software is vulnerable or not vulnerable.
It's part of our SDLC now.
What needs improvement?
The user interface can sometimes be a little challenging to work with, and they seem to be changing their algorithm on what is an issue. I understand why they do it, but sometimes it causes more work on our end.
For how long have I used the solution?
One to three years.
What do I think about the stability of the solution?
No issues with stability.
What do I think about the scalability of the solution?
Not that I know of.
How is customer service and technical support?
I have not contacted tech support.
How was the initial setup?
It seemed straightforward. I didn't actually do the work, but from what I was told, it seemed like it was fairly easy to get going.
What was our ROI?
I cannot give numbers on any cost savings related to code fixes since implementing CA Veracode in our development process.
What's my experience with pricing, setup cost, and licensing?
It's worth the value.
Which other solutions did I evaluate?
We did evaluate other options, but I can't remember who we looked at.
What other advice do I have?
I would be highly likely to recommend working with CA Veracode to colleagues.
I rate it an eight out of 10. It's a good product - I can't say that it's lighting my world on fire - but it does what it needs to do.
Just be prepared that it's going to take effort from all aspects of the business to be able to utilize and achieve the goal that you're looking to achieve with the product.
Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
Product Manager at GMS
All areas of the solution could use some improvement. It helps me to detect vulnerabilities.
Pros and Cons
- "It helps me to detect vulnerabilities."
- "All areas of the solution could use some improvement."
What is our primary use case?
We are Veracode partners/distributors in Quito, Ecuador.
At this moment, I am reviewing the solution.
How has it helped my organization?
It helps me to detect vulnerabilities.
What is most valuable?
I use the SAST feature the most.
What needs improvement?
All areas of the solution could use some improvement.
For how long have I used the solution?
Trial/evaluations only.
Disclosure: My company has a business relationship with this vendor other than being a customer: We are Veracode partners/distributors in Quito, Ecuador.
Buyer's Guide
Download our free Veracode Report and get advice and tips from experienced pros
sharing their opinions.
Updated: November 2024
Product Categories
Application Security Tools Static Application Security Testing (SAST) Container Security Software Composition Analysis (SCA) Penetration Testing Services Static Code Analysis Application Security Posture Management (ASPM)Popular Comparisons
SonarQube Server (formerly SonarQube)
GitLab
Snyk
Checkmarx One
Mend.io
Fortify on Demand
Sonatype Lifecycle
CrowdStrike Falcon Cloud Security
Acunetix
PortSwigger Burp Suite Professional
GitHub Advanced Security
HCL AppScan
Qualys Web Application Scanning
GitHub
Klocwork
Buyer's Guide
Download our free Veracode Report and get advice and tips from experienced pros
sharing their opinions.
Quick Links
Learn More: Questions:
- What is the biggest difference between Veracode and Checkmarx?
- Which gives you more for your money - SonarQube or Veracode?
- Checkmarx or Veracode. Which should we choose?
- Would you recommend Veracode? What are some of your use cases?
- Checkmarx vs SonarQube; SonarQube interoperability with Checkmarx or Veracode
- What do I scan when changing code in Veracode?
- If you had to both encrypt and compress data during transmission, which would you do first and why?
- When evaluating Application Security, what aspect do you think is the most important to look for?
- What are the Top 5 cybersecurity trends in 2022?
- What are the threats associated with using ‘bogus’ cybersecurity tools?