Veracode Reviews

We use Veracode for application scanning.

Veracode is able to prevent vulnerable code from going into production.

Veracode has helped us to identify the vulnerable code in our applications before we put them into production.

The solution allows us to ensure compliance with standards and regulations.

Veracode provides visibility into the application status at every phase of development which makes it easier for our DevSecOps to do their jobs.

I give a nine out of ten for Veracode's ability to identify false positives. The false positive rate has increased our developer's confidence.

Veracode has enhanced our capability to address flaws by identifying bugs that may not have been detected through static analysis data.

Veracode has had a positive impact on our organization by providing us with greater insight into our data.

Veracode helps our developers save approximately ten percent of their time by detecting code issues and enabling them to promptly fix bugs before releasing the information into production.

Veracode helps secure our private data which improves our overall security posture.

Being able to scan our applications and identify all codes and defects is an extremely valuable feature.

Scanning large amounts of code can be a time-consuming process and there is scope for improvement.

I have been using the solution for nine months.

Veracode is stable.

Veracode is scalable. We have between 300 to 500 users.

The technical support is responsive.

Positive

We previously used some open source solutions and the management teams decided to switch over to Veracode.

I give the solution an eight out of ten.

We have Veracode deployed in multiple locations.

Maintenance is only required when updating the solution.

You should evaluate multiple solutions, but I suggest considering Veracode if it aligns with the organization's requirements.

We use Veracode to scan our websites at the beginning of the development process. When we are ready to launch a new application on the website, we upload it to Veracode for scanning. Veracode finds any vulnerabilities in the code and returns the results to us. We must then resolve all of the vulnerabilities and mitigate any risks before we can publish the application. We have also set up recurring scans, so that any time we release a new version of the same application, Veracode will automatically scan it again to ensure that we have not missed any vulnerabilities. We have been using Veracode for six or seven of our websites.

Veracode's ability to prevent vulnerable code from entering production is comprehensive and effective.

Veracode has been very helpful as a preliminary step to launching our products to ensure that they are secure. It has also helped our developers learn the security checkpoints that we need to follow so that they can code with security in mind.

It provides visibility into the status of our applications at every phase of development throughout the software development lifecycle. We heavily use the Veracode Greenlight plugin for Visual Studio to scan and check our code as we write it. Veracode also helps us to develop our applications securely. We have configured our QA websites to be scanned by Veracode so that we do not push anything into production that is insecure.

I recently encountered a Veracode false positive, but we immediately mitigated it on our end. Veracode also filed the case and will include it in their code to mark it as a false positive. We took action after that.

False positives are rare. Veracode provides us with enough information about the issue, so we can usually identify them as we go through the report. We are also learning from the issues and from Veracode itself. If a false positive is reported, it is fine and does not have a significant impact on us.

Veracode has been incorporated into our process, which helps us fix flaws. Whenever we develop external websites, we consider the code, the scanning, and everything else involved. This ensures that we are prepared and have enough time to receive the scan results and fix any issues. We have essentially incorporated this into the lifecycle of our project, which I believe is very valuable.

We like the fact that all the issues are identified and that Veracode provides sufficient information on how to resolve them. This is very helpful if we need to troubleshoot problems ourselves, as we have plenty of information at our disposal. Additionally, we appreciate the option to request a consultation directly from the issue itself. Whenever there is a problem, there is a small button that says "Reach out to a consultant." We can then schedule a call with a consultant who can help us resolve the issue.

Veracode provides us with some usage metrics. These metrics are based on the number of times we use Veracode, which is tied to our static scans. We only use static scans when we make changes to our code, and we have a part of our pipeline that runs the Veracode scan whenever we make a change or deploy the code. However, we don't deploy code very often because we have 20-30 websites in our company and we don't dedicate a lot of time to each individual website. So, when we do make changes, we will run the scan because it's part of the pipeline, but this has been affecting our usage metrics. We're not sure why Veracode's usage metrics are designed this way, but maybe they can provide some insight. We use these metrics, but we're now thinking about getting different metrics from Veracode. I started looking into setting up some dashboards myself so that we can have our own dashboard and statistics, such as how many flaws we've resolved in the past six months or how many issues we've identified when we're deploying a new website. We're more interested in these types of statistics than in how many times we're using Veracode because fixing flaws is the value that we're getting out of Veracode. Maybe setting up a new dashboard would be helpful, but that's something that Veracode can provide clarity or insight on.

I have been using Veracode for four years.

Sometimes, the scans halt or drop for some reason, and we need to get help from Veracode to fix it. However, this is not a major issue.

I opened a support ticket to use Veracode's consultant feature. When the consultant called me, the consultation was very smooth and easy. He had already reviewed the flaw that I had mentioned, my description of the issue, and the issue itself. He was able to provide good insight and help me resolve the issue quickly. I have done this a few times before, and the consultants are always well-prepared and give me all the suggestions I need. They already have a lot of information on their website, but they also go above and beyond by providing additional information and specific instructions when I schedule a consultation call. They have been very helpful in the past.

Positive

The deployment was straightforward. Three people were involved in the deployment.

The implementation was completed in-house.

I would rate Veracode nine out of ten.

Veracode has a bit of a learning curve to get used to its different modules, such as our integrations, APIs, and our policies, as well as getting insights. However, my experience is that once everything is set up and scanned on the website, I really like the process of reviewing the flaws that Veracode lists and responding to the resolution steps that it provides. I also appreciate the ability to set up a consultation call and have the issue resolved. I think these are the steps that I really like, and they are helpful to me as a developer. Veracode helps me to learn about security considerations first and foremost, both while creating an app and after, and that has been a good experience for me.

It's a fast solution, so we use it to search for vulnerabilities in our code, software composition analysis, and to search for vulnerabilities in our libraries. 

We have some security gates and it's not possible to release some applications from production. We can look at the solution and see medium, high, or critical vulnerabilities with ease at every stage. 

The speed is the most valuable aspect.

Veracode's ability to prevent vulnerable code from going into production is very good since we have a few false positives. I'd rate this feature nine out of ten.

Veracode's policy reporting for ensuring compliance with industry standards and regulations is great. It has a detailed report that we can look at to see our landscape easily.

Veracode provides visibility into application status at every phase of development Verticode static analysis, dynamic analysis, software composition analysis, and manual penetration test throughout your SDLC. It positively affects our DevSec processes. It's not possible to bypass Veracode. It's very secure.

There are very few false positives. I'd rate the false positive rate as nine out of ten. It's very good. It's very positive for developer confidence. They understand security development very well and Veracode provides excellent transparency.

It's reduced the time we've spent on tuning policies. We've saved around two hours. We used to waste around 3 hours and now we can do what we need to in 30 minutes.

It's helped our team fix flaws. The security gate helps our developers learn how to fix vulnerabilities. The solution has also helped them save time in their efforts. It provides descriptions of how to fix certain items. It saves them from having to search on the internet for fixes.

The solution has had a positive effect on our security posture. I'd rate it nine out of ten. We have very secure applications. 

They could improve how they fix vulnerabilities. They could have more support in place to help the developers. That would help a lot of users.

The pricing can be improved. It is really, really expensive. 

I've been using the solution for five years. 

I'd rate the scalability nine out of ten. 

We have about 500 end users of Veracode in our organization.

I'd rate the scalability ten out of ten. It's very good. 

Technical support is good. They are always communicative and share news and new technologies. They offer new languages and frameworks regularly.

Positive

I previously used Checkmarx in the past, as well as Fortify. I used it in another company. However, in banking, it's not possible to use something like Checkmarx. Veracode is more secure and more trusted. 

I was involved in the deployment. It was not complex to deploy. It was straightforward. The implementation strategy included looking at different flags and vulnerabilities and deploying in phases. 

We had five to seven people to deploy the solution.

I'm not sure if there may be maintenance required.

We used a third party to help with the deployment. Our experience was good. 

I'm not sure of the exact amount saved, however, we have noted an ROI. We have avoided application vulnerabilities in production. We don't need to rework things since we look at the vulnerabilities right in development instead of after deployment. 

It has reduced the cost of dev backups in our organization. 

The pricing is expensive. 

However, if you have applications and not enough people to analyze the flags, you must use Veracode as it delivers very few false positives.

I did evaluate other options before choosing Veracode. I looked at Checkmarx and Fortify as well as a solution made in Brazil.

We are a customer and end-user.

I'd rate the solution nine out of ten.

I'd recommend the solution to others. 

Veracode is part of our overall security program. We use it to scan our daily build pipelines and all our fielded releases. The primary features we use are static application security testing and software composition analysis.

We analyze third-party libraries for known vulnerabilities and taking action. Veracode is also part of our release procedure. We put the artifacts from the record and attach them to the release documentation to provide our customers with those documents if needed. 

Veracode has improved our product because we're gradually finding fewer and fewer issues through external security scanners or penetration testers. It plays an important role in the continuous integration quality assurance chain. We started using Veracode when it was supporting a 2017 standard. When the security standard changed to 2021, we received new issues. 

We adjusted the policy and no longer have any medium-priority issues in our scan results. It has increased the quality of our security while enabling us to pass the two historical standards and maintain compliance. We have analyzed and cleaned up several thousand issues since we started using Veracode. 

We use our internal policies for the WAF Security Standard, but it isn't an industry-wide policy. We do not use PCI DSS, etc., but it shouldn't be a problem to comply with that stuff. For example, PCI DSS isn't applicable to our case because we aren't managing any credit card data, working with medical devices, or doing anything involving the military. Some standards aren't applicable. 

Veracode offers visibility into vulnerabilities at every step of the pipeline. Every night, we build source code and mark everything that was merged during the day. We check those reports once weekly and correct some issues that were detected. For software composition analysis, it's even easier because every time the record updates, Veracode sends emails to the security team. It also makes me aware of some newer capabilities in software composition and analysis. 

It showed us a lot of flaws in various parts of our product and helped us visualize a lot of issues that we previously didn't know about. We had static code analysis, which is a bit different than Veracode. We were using a static code analyzer from Visual Studio, and it was mostly about development best practices. When we started using Veracode, we realized there were more problems that static analysis alone wasn't catching. It's an excellent tool for showing the vulnerabilities in your software. 

It helps us save time and effort for a portion of our production. For example, if  you're scheduling to release product improvements in the spring, you don't want to fix anything after it goes into production. From that perspective, fixing things before the code is released saves us time. It also protects our reputation because fewer issues enter production. 

It sometimes saves our customers some time because they don't need to perform their own secret analysis because we've already analyzed the product and can provide them with the results much faster. 

It's hard to say that any single feature is the most essential. There are many errors and vulnerabilities in software today in the standard libraries for different vendors because. We don't need to reinvent the wheel every time because we're using standard libraries, and it's important to know that your security isn't compromised because you use libraries with vulnerabilities. 

We use Veracode as a quality gate. We do not do continuous delivery or continuous deployment. We're releasing about twice a year, so we use it as a quality gate in this situation. We should analyze various types of patch software. From my observations, it has been an excellent tool so far. We also have an external penetration testing effort, and the testers have not found any issues, so that tells us that Veracode has been successful at preventing issues from entering production.

I use the software bill of materials. Our product consists of many systems and components and redundancies that must be processed manually. We are in contact with the Veracode guys, and I think the next release will have this software bill of materials added. It isn't a problem with Veracode. It's a problem with the way we upload and build sources. In the implementation stage, we want the results as fast as possible, and we've done it in a way when we upload. It can be optimized when we upload it to Veracode. 

Sometimes Veracode gives us results about small glitches in the necessary packages. For example, we recently found issues with Veracode's native libraries for .NET 6 that were fixed in the next versions of those libraries. But sometimes you do not know which version of the library particular components are using. 

The downside of that is that one day, the solution found some issues in that library for the necessary package we spent. Another day, it found the same issues with another library. It will clearly state that this is the same stuff you've already analyzed. This creates some additional work, but it isn't significant. However, sometimes you see the same issue for two or three days in a row.

In our project, we use a lot of limited packages that link to another library, and there may be issues in those reference libraries. For example, one library might be referenced by several Google packages. When it shows you a vulnerability in one library, you will not see the issues in all libraries. We've discussed the issue with the Veracode team, and they investigate a way to fix this. Hopefully, it will not be an issue. 

I have used Veracode for several years. I've led our product toward Veracode standard certification.

I rate Veracode support eight out of 10. We had to contact support several times in the early years about a licensing issue we faced. We had some false positives in the licensing report from Veracode, so we raised a ticket with the support team, and they resolved it relatively quickly. We have regular meetings with a dedicated representative from Veracode, but we also get help from our colleagues on staff. At the moment, I'm happy with their support. They provide us with the necessary level of quality.

Positive

We used SonarQ, but it's somewhat different because it's a pure static code analysis tool. Veracode has a stronger focus on web security, and we produce a web-facing product, so that's important to us. SonarQ is strictly a static code analysis tool. 

Veracode's setup was pretty straightforward, but there were a few challenges integrating it with our continuous integration system because there are lots of components. We wanted our source code scanned daily, so we had to change our build process. It's a bit tricky getting it to work with various parts of our solution. Our product is too complex, and there are lots of applications and flavors.

We did it ourselves because we have sufficient expertise. We're still tuning up our build process and reports. They have comprehensive documentation. We had help from Veracode support, who answered our questions about integrating the solution with our software. It was mostly building and tuning a little to build our software in debug mode and deploy it back into our cloud.

We can measure our ROI in the amount of issues we discover and remedy. From a quality control perspective, a problem is more expensive if a customer reports it. If we take price into consideration, we've decreased the net cost of security because we're receiving fewer issues from our customers. You must also consider the reputational cost if the customer needs to implement the fix. 

If we find the issue after the fact, we need to provide our customers with the fix, and that may require some additional processes on the customer side. However, it's hard to calculate how much money it saved us.

We are not using the licensing much because we have a strict internal licensing policy. We mostly avoid GPL licenses and their flavors. Managing the licenses can be tricky. Sometimes you add a library and build some functionality around it, so it may cause some problems to remove it from its source. 

Cost is an issue at every stage because you need to evaluate what you're spending and what you expect from the project. You should use common sense and clearly understand the pros and cons. It's hard to say whether the solution is cheap or expensive because it depends on your company's needs. Some companies need Veracode for compliance requirements, and it doesn't matter how expensive it is. It's costly, but it's the best in the industry. You can get something that does the job but it's like a car. You might buy a clunker for a few hundred dollars or an Infiniti for a hundred thousand. 

We tried another solution before we started using Veracode. I believe it was HCLAppscan.

I rate Veracode eight out of 10. You should evaluate at least two vendors based on the company's needs. A host of issues need to be addressed, and it's a significant task. Veracode shows you many issues, but you must develop processes to address them. It was impressive when we first scanned our sources and found a thousand, but we had to develop compliance policies to deal with them. My advice is to not make the policies too strict. For example, you can start with high-priority issues. 

We use Veracode as part of our development pipelines. It gives us security feedback when we run our applications. Our applications are completely containerized in Docker images with a .NET 4.6 architecture. These are web-based applications, so we want to know that all the HTTP requests are secured. The tool provides us with feedback to ensure that our application security is robust. 

We are primarily running Veracode to check for vulnerabilities after the build. There is no pre-build process. We are running a post-build static analysis and dynamic analysis. We run it at the end of the development process. 

Veracode's ability to detect security vulnerabilities is excellent. We can feel confident that none of the vulnerabilities will make it into production. It doesn't take long to realize the benefits from it. The interface is intuitive. We could start to see value from Veracode within a couple of weeks. 

We don't have many false positives. We're using the tool's default rules and haven't done much customization. We can feel confident in the solution's results. 
We can identify most of the issues before the production stage, and it also enables us to develop better practices in the development process. We also have a security testing team using Veracode to discover vulnerabilities. The discovery of issues after static analysis is super-efficient. It reduces our time spent on these tasks by about 30 percent. 

Veracode has had a positive impact on our overall security posture. It's comprehensive, which is critical because our applications are mostly integrated, so we don't want to take any chances. 

One thing we like is the secret detection feature. It has helped us to discover keys stored in our settings file as a TXT document. We can address that vulnerability by using encryption. We can even scan Docker images for vulnerabilities. Static analysis is another good feature of Veracode because we can run a security scan during development to identify the vulnerabilities.

Veracode helps us prevent vulnerabilities from entering production. We can put it into the pipeline and set an acceptable limit for vulnerabilities. If the number of vulnerabilities is under the threshold, we can deploy automatically. 

Veracode's container scanning could be improved. We containerize all the platforms we use inside a Docker image. For example, we create a Microsoft Docker image that we build our application on top of. I would like Veracode to implement IT scans before we commit the code.

I have only used Veracode for a year.

Veracode is stable. 

Veracode is scalable.

I rate Veracode support eight out of 10. 

Positive

We evaluated another solution briefly but we decided to keep Veracode. Veracode has some issues with container scanning, and we have some container-based applications. We considered bringing in another tool for container scanning, but it was too expensive and Veracode was able to mitigate the issues well enough. 

Veracode is affordable. It offers a good value for the security benefits it offers, especially if you're working with applications that involve payment processing. You cannot afford to take chances there. 

I rate Veracode nine out of 10. I recommend Veracode, depending on the type of application you are scanning. It's a leading solution in this domain. Veracode is the first name that comes to mind when people are talking about security scanning. 

We were looking into compliance. I'm a consultant, and we're looking at it from the perspective of using Veracode to ensure that the organization we were consulting for was meeting its compliance expectations.

The solution has helped to improve the time to identify and remediate vulnerabilities that come from software - mostly through the static code analysis tool - as well as the ability to effectively communicate why the vulnerabilities are important.

The feature I've used the most is the static code analysis. It was incredibly easy to start using. As a new user, there wasn't a lot of lead time to understand the software work. It was also very easy to communicate the vulnerabilities that Veracode found to the engineering teams that needed to remediate the issues.

We have used the software bill of materials. This feature is good for helping us manage your supply chain, security, and licensing. That comes into play a lot when we are working with federal contracts where certain materials or processes are not allowed within contracts with the federal government. We would use that to ensure that the software itself is compliant. It is easy to create these reports using this feature.

The product’s policy reporting for ensuring compliance with industry standards and regulations is great. It took its own compliance quite seriously, which is something I always look for when dealing with the vendor. There are certain vendors out there that aren't as serious about their own security. I was comfortable with what the product was doing.

Veracode provides visibility into application status at every phase of development throughout your software development life cycle. It definitely improved the efficiency of it. One of the key things Veracode can do is it can rank the vulnerability defined based on the severity. That allowed us to hone in on what was the highest vulnerability and then work our way down. Therefore, it definitely improves the efficiency of those operations.

Veracode's false positive rate, as far as I remember from my experience, wasn't that bad. Usually, what it will do is it will identify a vulnerability, and then it will explain why the vulnerability is important, and then through those explanations, the engineers and I were able to see if something is an issue or if it is a false positive. When it comes to eliminating false positives, you're never going to have 100%. While it did introduce a little frustration, what did remediate that was the explanations that the software provided.

The false positive rate affected the time we spent on tuning these policies somewhat, however, it wasn't too bad. It wasn't anything to complain about.

For the clients I work with, it has a significant impact on improving the ability to identify and then fix flaws. The tool itself does offer strategies to remediate the efforts if, for whatever reason, the engineering team doesn't understand how best to approach them. Usually, they do, however, it is nice that they offer that service.

Veracode helped our developers save time. From my experience, what would normally take two days we're able to get done in an afternoon. That allows our team to work on more efficient work and more impactful work.

The product has had a positive experience on the overall security posture of our organization. It has definitely improved it. Hands down, it is easy to say that the solution has had a positive impact on the security posture of the organizations I consulted for.

Veracode reduces the cost of dev backups. That said, it's hard to put a number on it. It reduces the dev set time and the work they do can then be allocated effectively to other items. 

It would be ideal if it was able to demonstrate higher levels of cybersecurity certifications like becoming FedRAMP compliant or working in those areas. That way we could use it on higher level contracts. That would be a good business opportunity for the solution.

I've used the solution for two years. 

I've never run into any stability issues. I haven't heard of anyone else running into any either. 

The solution is highly scalable. We did run quite large programs through Veracode, and we also ran quite small programs through it too, and we didn't encounter any issues in either case.

I've never needed to contact technical support. 

I cannot recall working with other solutions. I do have experience with a more traditional way of looking at code and identifying errors. That's where this product came in with the ability to just automatically catch those errors.

I was not involved in the deployment of the solution. It doesn't require any more than ordinary maintenance. That's not a big concern. 

I have witnessed an ROI while using the solution. It positively impacts our team's ability to get their job done, which reduces strain on employees and therefore reduces employee turnover, which, given the severity of the skill set that we look for, is incredibly impactful for us.

It does pay for itself given the pricing structure. Of course, the pricing structure changes based on the sales deal, et cetera. It definitely had a positive impact on the organizations we used it with. Financially, it does make a solid business case for itself.

I'd rate the solution ten out of ten. 

Potential new users should ensure that they take into account the amount of time their teams are spending on dev setups and consider what other work those people could be doing that might be more meaningful - rather than physically looking through code. Veracode has the ability to improve a team's operations as well as an employee's efficiency with doing complex work. Companies definitely need to consider how efficient their team is and consider what this tool could do to improve that.

I have manually worked in CI/CD pipelines without Veracode. We could get automatic reports after integrating Veracode plugins into the build tool. The pipeline has become much more automatic by integrating the solution.

The best feature of Veracode is that we can do static and dynamic scans. Veracode performs software composition analysis, and we can use the solution to download different reports like the summarized report. Veracode’s interface is good.

Veracode should include the feature to run multiple scales at a time.

I have been using Veracode for one year.

Veracode is a stable solution, except on one occasion when I faced some issues. I rate Veracode a nine out of ten for stability.

Veracode has good scalability. In our organization, Veracode is used only by our team, which consists of seven members.

We have used the JFrog XRAY tool for SCA (software composition analysis).

Veracode’s initial setup was easy and straightforward.

Implementing Veracode doesn't take much time. It takes only a few hours to implement the solution. Veracode was deployed by a team consisting of two to three members.

I am into DevOps, and we have integrated Veracode into our DevOps pipeline.

I would recommend Veracode to other users.

Overall, I rate Veracode a nine out of ten.

Our primary objective when using Veracode was to ensure the security of website development and other application developments we were working on. We aimed to prevent any security breaches and also closely monitor any potential vulnerabilities that could arise from code deployment. Fortunately, we were successful in identifying and addressing these vulnerabilities. 

Although the responses were somewhat mixed, we managed to go two years without a single security breach, which was a significant achievement. In addition to monitoring security breaches, we utilized Veracode for continuous monitoring. The difference lies in the fact that once the code is deployed and access to the server is initiated, there is a high possibility of connecting to a different server or encountering interference from unauthorized individuals. This continuous monitoring allows us to observe each step of the server, including the IP addresses and protocols, and ensure their proper functioning. Veracode facilitated us in carrying out this monitoring effectively.

Veracode's ability to prevent vulnerable code from entering production is remarkable. We were once alerted that there was a possibility of a breach occurring. Despite spending hours pondering the issue, we were unable to determine how that possibility existed. After discussing with the support team, we eventually learned the cause. Therefore, in terms of detecting vulnerabilities, it was excellent. However, the problem arose from the fact that it was not well-customized for our organization. Consequently, there were multiple instances where flags were raised for our IP address or email, which we knew were not vulnerabilities. In such cases, we had to address them accordingly.

Veracode's reporting feature provides comprehensive insights into the security status of our code or application. These reports generated by Veracode offer visibility into vulnerabilities and different severity levels of threats that may be present. They also recommend remediation steps to address these issues without extensive code modifications. I find this reporting feature valuable. Additionally, Veracode regularly releases updates, sometimes multiple times a day, ensuring that we are consistently up to date. Although this requires my engineers to work extensively on integrating AWS services with our platform, it is one of the standout features of Veracode due to the recommendations and frequent updates it provides.

Veracode's policy reporting for ensuring compliance with industry standards and regulations is on the mark. Everything was proceeding as it should, with adherence to the established procedures, protocols, and reporting mechanisms by both the organization and the support team. At no point did we feel that the industry standards were compromised.

Veracode provides visibility into the application's status at every phase of development. Primarily, we were only conducting two types of tests. One was continuous integration, which keeps track of the entire application's deployment process. It detects any defects and ensures a smooth deployment. The other test we used to perform at certain times was manual integration. We would delve deeper and test additional aspects because we wanted to ensure with utmost precision that there were no vulnerabilities when deploying the application. Hence, we also had to manually utilize this program before deploying or pushing it to the code.

When conducting the cost-benefit analysis for Veracode after six months, we discovered that there were actually only two significant security breach possibilities. With the assistance of the solution, we were able to detect and resolve these breaches. The most significant advantage provided by the solution was the assurance that no breaches were occurring outside of the office. Any potential risks were either determined to be false alarms or promptly addressed. Therefore, the only actual breaches we encountered during the six-month period were two. However, we also gained a sense of security, which I consider to be a worthwhile trade-off for the cost.

Speaking specifically about the security department of our company, there was a notable reduction in costs after the introduction of Veracode. However, when considering the broader scope of all the development departments, we not only had to invest more time in each project but also had to hire additional resources. Consequently, when taking into account all the departments collectively, the overall expenses increased. However, focusing solely on the security development department, there was a substantial decrease in costs, approximately $7,000 per month.

The recommendations and frequent updates are the most valuable features of Veracode.

The false positive rates were quite high in our case. Prior to seeking a solution, we had already engaged in discussions with their support team, who also confirmed this issue. We had read a few reviews, which indicated the presence of false positives. However, in our specific situation, the number of false positives was substantial. There were instances when we logged in during the morning and encountered 30 or 40 raised flags. Resolving them sometimes occupied a significant portion of our day, often extending into the first half. Thus, in certain projects we undertook, the occurrence of false positives was considerably elevated. Despite being aware of this, we acknowledged that a majority of these flags were likely false. Nonetheless, due to the matter of security, we had to address them, resulting in a significant allocation of our time.

The false positive rate of the static analysis has impacted the time we spend on fine-tuning policies. We have had to allocate a considerable portion of the software team's time to address the significant number of false positives, resulting in substantial time investment. Additionally, some of our projects with clients have been delayed due to this issue. One particular project experienced a delay of approximately 25 days, with false positive cases accounting for an estimated 60 to 75 percent of the delay. The cost of the false positive rate is causing a slight disruption in the development process. Therefore, I believe this is the major area that needs improvement.

We initially deployed on the AWS cloud because AWS also offers us additional security benefits and most of our other solutions were already on AWS. However, I think Veracode could develop a self-contained cloud system, allowing them to deploy the solution on their own system. This would be beneficial for us as they could provide the data privacy we require. It would be great because each new update on the security process necessitates a slight change in the program.

The reporting features could be subcategorized if the bugs are categorized and subcategorized according to our requirements rather than the understanding of the security system. This would be beneficial because whenever we need to integrate or resolve a bug, it is crucial for us to identify the vulnerable parts of our code. This process requires additional time and effort. Moreover, it is often challenging for us to comprehend the specific changes the system expects from us.

I have been using Veracode for two years.

The stability of Veracode, in my opinion, was not very reliable considering the need to consider false positive readings. We had to invest a significant amount of time rectifying or addressing those inaccurate queries, which made it a less-than-ideal solution.

I believe the solution is scalable. I remember a time when we were working with four clients in total. Even though our agreement with Veracode was not to exceed three projects, we were able to manage that, and everything went smoothly. They were even able to implement registration. This probably occurred due to significant delays in one of our projects. I was able to onboard the next client, which means we were working with four clients at that time.

The technical support team is knowledgeable. In the initial stages, when our team lacked the technical capability to perform manual configurations on our own, they assisted us with that. Overall, the experience was satisfactory. Nothing extraordinary, but it was good.

Positive

The initial setup was fairly straightforward, although it did take us some time. Our team lacked the necessary technical capabilities since it was a new endeavor. Before Veracode, our company didn't have any other security measures in place. Since it was a new concept, our employees also had a technical knowledge gap, which required some time for learning. However, the deployment process, on the whole, wasn't overly technical. It was done in two or three stages. The first stage involved initial queue meetings to understand the configurations we were using for deploying the code. The subsequent meetings focused on understanding the features we desired, how they would be implemented, and accessed, and their frequencies. Following that, the tech team took over and handled the deployment for us.

Six engineers were involved in the deployment, although the entire working team comprised twenty-two people.

The implementation was completed in-house.

It is quite challenging to calculate ROI. However, I can confidently state that over the course of two years, we did not experience a single security breach. Furthermore, we ensured that our solutions were free from any vulnerabilities when delivering them to our clients. As a result, we established a positive reputation with our clients, as evidenced by the certification from Veracode, confirming the absence of vulnerabilities in our overall feature or code deployment. In summary, we maintained a flawless record of zero security breaches. Despite the difficulty in conducting a cost-benefit analysis, it remains an essential task.

I believe the price is fair according to market standards. However, if we are anticipating a growth phase in the enterprise, it might be a bit costly for us. On the other hand, if we are currently making profits and aiming to stabilize ourselves while improving our solutions and working with our existing team, it suited us well during that period. We were focused on developing the final product, refining protocols, and enhancing overall product development processes for our brands. Therefore, I believe it was a good fit for us. However, organizations that are in a growth phase may want to consider other options, even if it means compromising slightly on the security aspect.

We previously evaluated other solutions. One of the primary reasons for choosing Veracode was the ability to configure it at a deeper level, which was not possible with the other solutions. Another advantage was that the other solutions did not offer a six-month trial period, unlike Veracode. We initially had a trial for six months, which was later extended to one and a half years. Therefore, pricing became the third factor. However, even at the end of the two-year subscription, we were unable to conduct a thorough cost-benefit analysis. This seems to be a common situation in the industry. Without experiencing a breach, it is difficult to assess the cost-effectiveness of a solution.

I give Veracode a nine out of ten. I believe that, in general, Veracode is a good product. False positives and these types of issues can be found in almost every security product out there. The best part was Veracode's technical team. They were proficient in their knowledge and there was never a moment of misunderstanding between our team and theirs. Overall, Veracode ensured that we did not encounter any ransomware or security breaches at any point in time.

Our DevSecOps team was involved in two stages of the entire process. The first stage was during the initial design phase of the specific application build. We had to determine when and where we wanted to manually interpret using the tool, as well as identify potential security breaches that required close monitoring. This was the initial step. Following that, our team proceeded with development, which typically progressed smoothly in collaboration with the client for a period of two to three weeks. As we approached the deployment phase, we would once again discuss with their team to determine specific points where DevSecOps would manually deploy the solution for testing purposes. Afterward, we would assess the solution from our end.

The false positive rate did not have a negative effect on the confidence of our development team. It was made very clear to us by Veracode's support team, as well as through other reviews and conversations with clients, that there would be a possibility of false positives being raised. We had to go through them because we cannot afford to miss out on any potential security breach.

I don't believe Veracode has helped us save time. Overall, if we consider the larger context, saving time was not a direct expectation communicated by Veracode. Their expectation was solely to prevent any security breaches. Regarding time-saving, I don't think Veracode has provided any assistance in that aspect.

At the end of the day, we were essentially thinking of transitioning to a new solution, primarily due to the high number of false positives we were receiving from Veracode, we conducted a cost-and-benefit analysis specifically for Veracode. We discovered that, overall, it prevented our solution from being breached for more than six clients. Considering our annual client turnover rate is approximately twelve to thirteen, Veracode played a significant role in addressing a substantial portion of our challenges.

I recommend negotiating with Veracode for a free trial period. We frequently engage in negotiations to secure a six-month trial. A trial will assist in comprehending the intricacies. While there are benefits, it is important to note that the time required for each project will naturally increase. It is crucial to understand how Veracode operates and determine if it aligns with the company's needs. However, regarding pricing, I am confident that Veracode delivers as requested.

Veracode functions solely within the development department, but within the department itself, we have a division based on the two types of clients we deal with. One type is primarily focused on development, while the other is focused on procuring or conducting quantitative analysis for the markets.

For general everyday maintenance, only two people are involved. However, for monthly maintenance, approximately six people from our end are involved, and I am unsure of the number of people from Veracode's end.

I would advise speaking with other clients like us who have already used Veracode. Prior to that, however, we need to understand what kind of security breaches are possible in our solution and determine how much of our money and time we want to allocate to addressing them. We should assess the importance of these breaches to us. Once we have this understanding, we can discuss with other clients how the overall process went and how much time it actually takes. The final step would be to directly contact their team and negotiate for a longer trial period. The best decision we made was to initiate a six-month trial with Veracode and then transition to full-time usage.