Veracode Reviews

We use it for security validation. As a company, we need to make sure that our code is secure. Not only do we need and want to do this for ourselves, but we also need to do it because of our security obligations to our clients.

It has been helping us capture security vulnerabilities that we would not catch otherwise.

When it comes to our ability to fix flaws, Veracode has given us more visibility into certain flaws that could show up, flaws that can be subtle and not seen in the code. For example, though it was not obvious, there was a case where a developer naively added the authentication into the code, which we're not supposed to do, obviously. It was not seen by our review process, and Veracode caught it and we were able to eliminate it.

It has also helped us to save time. The example, and where I see the most benefits of that, is in the Security Labs, where I have the developers training and constantly improving their security, and remembering their security techniques. That way, they are more proactive and make sure things are correct. They're faster because they're doing it in the first place.

Overall, in terms of our security posture, Veracode has made us more reliable. We're finding those flaws and our clients trust us more because of it.

And when considering whether it has reduced the cost of development, security, and operations for us, the short answer is no. But the long answer is yes. It clearly has added more procedures in place, which we needed to have, and that has definitely increased the cost of development. But in the long-term, how much have we saved from the intangible of a flaw not being exposed?

The Security Labs feature, in particular, is valuable, and I have been using the static code analysis as well.

I do have two pet peeves with the platform.

1. The user interface is slow as a dog; really slow. You go to any modern interface and it's a lot more snappy. Even though I understand a lot of what they're doing and why it might be slow, it is really slow. You click on something and it takes two to three seconds. That doesn't sound long, but it just feels super clunky.
2. There are many times when their product goes to check my code and it dies, and I don't know why. I've contacted support and they're not really helpful with this particular problem. I go to the logs and I look at what I can but I can't tell why the check process has essentially just died in the middle of checking.

Other than those two complaints, I still find it very strong and powerful.

In terms of additional features, the big one I would like to see is that, right now, I have to click through too many things to get to the triage report, which is the main thing I want to see for anything. I have to click through this one screen that doesn't give me any information and I really just want to get to the mitigation review screen quickly. Anything that would save me going through clicks and four or five different screens, because the interface is slow, would be fantastic. I want to get to that mitigation screen because the summary screens are not all that interesting to me. I need to know, "Is this mitigated? Is it not?" and get it checked off and reviewed.

I've been using Veracode for two years.

It has been a very stable product. I don't think the issues that we're having are related to its stability.

The scalability is "medium" because one of the things I've been having to do now is scale out more of the microservices by tier so that I can verify that the code is correct per tier. For me to scale up like that seems to be taking a lot of effort. I might be doing something wrong. Maybe it could be solved in a different way. But the scalability is average. On a scale of one to 10, I would put it at about five.

We do have plans to use more of Veracode. We are expanding into the SCA, where it is scanning the containers, and we've also just contracted with Veracode to do penetration testing.

The one time I had to use their technical support for the bug where a code check dies, I found them a little off-putting. They have never really fully answered the question. I got tired of asking because they didn't understand what I was saying.

During installation, their support was fantastic, a 10 out of 10. But in dealing with this one issue, I would give them a two.

Neutral

We haven't used another solution. Veracode is the first solution of this kind that we have worked with.

The initial deployment was pretty straightforward. We ran into some issues, but honestly, nothing out of the ordinary. I would definitely put it toward the easy side. I found the documentation to be appropriate.

The deployment time was days.

We are using Jenkins as our CI/CD. We're using Amazon Cloud K8 deployments.

We integrated it in two different ways. The original way was with AWS CodePipeline. For that, we used Veracode's Docker service. Once we had it hooked up and could send the file, that was pretty easy to use. The second way is we now actually use Jenkins for our code build. We do the same thing although we're going to change to the Jenkins plugin here shortly. But it was still the same, with the ability to use Docker to send the file to Veracode. Once we wrote it, it was really easy, which is why we did it that way on Jenkins. Through both of them, the implementations worked easily.

From the time of deployment, we saw the benefits within one to two months, which was fairly immediate.

There is maintenance required because, sometimes, the pipelines for our code review essentially stop. I have to go and check that, as I mentioned earlier. The second piece of maintenance is that if there are any flaws or false positives, you have to mitigate those results. We have two people involved in the maintenance.

I did the original Amazon CodePipeline implementation by myself and got it hooked up. As we went to more complex things, with Jenkins, that was done through an integrator DevOps team. On our side, it was just me involved.

I'm sure we have seen ROI, but I do not have a direct metric on it. There are a lot of intangibles in that. For example, what would be the cost of a particular flaw that we caught with Veracode, if it had gone live?

When I looked at the pricing, it was definitely a value. In terms of the service and what it's checking, the cost was very reasonable, particularly because we could have multiple code bases as part of a project.

Make sure that you're comparing apples to apples if you're concerned about the price of Veracode versus what you're reviewing. Some of the stuff that Veracode does and applies is not the same for other services. When I really compared apples to apples, I found Veracode to be rightly priced.

There were no costs in addition to the standard licensing fees, although we just signed up for a couple of other products.

We looked at other solutions but one of the big things that made a huge difference with Veracode had to do with pricing. Because we're moving more and more toward a microservices architecture, and we have about six code bases that make up our entire product, they made it clear that as long as something was a part of our product, it was the same price. That was amazing to us because competitors charged per code base. It was definitely a more economical solution and the one that made more sense, and is more in line, with our product. That really simplified the thought process for us and was a huge competitive advantage.

Veracode is a valuable tool to have in the toolbox to prevent vulnerable code from going into production. Veracode's false positive rate has been very good. It's reasonable. False positives take more time, but I have not noticed that time to be a significant burden. Its policy reporting for ensuring compliance with industry standards and regulations is adequate. 

In terms of having visibility into application status at every phase of deployment, Veracode doesn't provide that. It doesn't control the whole deployment cycle, so there's no way it can report on all of it.

The platform's interfaces look slightly antiquated but don't let that stop you from using it, because it has been a good solution for us.

The biggest lesson I have learned using it is that it's really nice to have these security checks in a single place in your code pipeline. We have multiple security companies at this point, but having the code review and product review security in one place helps us know that that part is "containerized." Having everything dealing with code review in one place is nice.

Every build running CI/CD on our applications, like Bamboo or Azure DevOps, will be scanned through Veracode SCA first. If its report for the build has a vulnerability or redundancy that is outdated or vulnerable, then that is our use case for our application. We have a lot of applications that need to automate these things, then get the report to the application team. Therefore, the security team needs to check these one by one.

We have a lot of people using Veracode, like the security team and DevOp. Also, the application team checks the Veracode result and updates it necessarily. Since it is integrated into our applications, there are a lot of users.

Our deployment model is on-prem. We deploy it as a JAR file inside our Cloud CMS.

We are using it to fix flaws in the code. Sometimes, we have reports that need to be checked. If it is a false positive, then we need to submit the false positive. However, if it is positive, then we need to fix it and perform a new scan to make sure the vulnerability has been fixed on the latest report.

After scanning, we receive report slides from Veracode. Their reports can help us to see the CVEs that we haven't even heard of and best practices that we can do, e.g., using logging properly, which is helpful. It helps us 50% of the time.

It has increased our security productivity by approximately 30%. It has reduced our development productivity by a bit less, since it sometimes breaks a lot of modules.

Veracode SCA helps us know about vulnerabilities before they go into our environment. This is one of its best benefits.

The most valuable feature is the security and vulnerability part of the solution. It shows medium to high vulnerabilities so we can find them, then upgrade our model before it is too late. It is useful because it automates security. Also, it makes things more efficient. So, there is no need for the security team to scan every time. The application team can update it whenever possible in development. Because we are using the Azure methodology, this helps us make sure that the application team can do it using the proper Azure method. For example, when we are using scrum, the application team can improve this Veracode scan on this scrum methodology. Therefore, if they were going to create a pull request, it would be detected. It would be scanned first before it goes to production or another environment, then they can fix it so we can do development more rapidly.

Our fix rate has increased by 15%. We know that we can update something now or put it in our roadmap to update later on in our application.

The mitigation recommendations are sometimes helpful. Sometimes, they are outdated. Sometimes, there are a lot of false positives inside Veracode. That is something that I already suggested to the Veracode team.

It could have better integration with our pipeline. If we could have better integration with our application pipeline, e.g., Jira, Bamboo, or Azure DevOps, then that will be very helpful. Right now, it is quite hard to integrate the solution into our existing pipeline.

If it has better integration with our DevOps pipeline, then we would use it more. However, at the moment, if the solution can be used for a new project, then we can integrate it. However, if that takes too long, we will integrate other things that are faster.

We have been using the solution for two years and a few months.

The biggest problem is with the false positives. However, it is quite stable for scanning compared to some other applications. That is why we are still using it.

At the moment, it is hard to implement on our pipeline. Therefore, we need better scalability, as it is quite hard to scale it to bigger projects because then the scanning will take a lot more time.

Their technical support is helpful. If we send a message to them, then they respond within the SLA. I would rate the customer service as eight out of 10.

Positive

While Veracode SCA may take some time to scan, it helps to reduce the number of scans that we need to do. Before, we needed to scan manually multiple times. Whereas, with SCA, we can just check one by one, then send it as a batch and scan it again. We used to scan 10 times or so. With this automated system, we now scan on average five or six times.

I know how hard it was for our DevOps to set it up.

The deployment process is different for each application. There are a lot of different things that we need to set for this solution. If we have a standardized system, not only using JAR but also other things, then that would be very helpful and make it easier for us to integrate. Currently, there is a lot of preparation that goes into setting up Veracode for integration with our existing applications.

Depending on the pipeline, it takes about five working days to deploy.

On our team, the solution has been very helpful. For more than two years, it has helped us get a lot of things on our application. It is easier for us to do fixes instead of just doing a pen test every time, then getting everyone to check it. 

It has good, fair licensing. If the price could depend on the scope of its scanning or the languages supported, then that would be better.

It is quite important to have fixed or static costs because it is easier for our financing.

Compared to other solutions, Veracode is more expensive but offers a lot for free.

We also evaluated SonarQube and Snyk in PoCs. We thought SonarQube and Veracode were good. 

We went with Veracode because its processes are very detailed and it supports a lot of languages. Though, compared to other solutions, it is difficult to integrate into the pipeline and can improve on its false positives.

Try all of the features. Make sure that you use the Veracode SCA with different languages since we can see differences between scanning Java, Node.js, or PHP.

For our site, we only use SAST and DAST for penetration testing. Also, the penetration testing for SCA is handled by another vendor since we have a different vendor for this usage. 

It helps indirectly with Webex.

I would rate the solution as eight out of 10.

We are using it for two purposes. The first is to analyze the final binaries in our normal development cycle and the second is for auditing old software.

It's a SaaS solution.

Veracode is able to analyze the final software products. We compile the applications and it's an advantage for us because there are a lot of areas where we don't have the source code. In some companies, only internal development is taking place and they have the source code and everything else for the software. With those companies, there are other tools that we can use. But for use cases where our company buys a product with the source code, but only the final executables or the binaries, only Veracode is able to work on that type of tool. We are working in the financial sector for big bank banks and insurance companies. A lot of times, these types of companies don't have the source code for the applications, only the final applications. This is the biggest advantage of Veracode, that it's able to analyze these types of applications.

We use the scanning process to help our security professionals and developers fix flaws in the code and that helps speed up the development cycle. It helps to "shift-left" all of the security control to the earliest phase of the development cycle. It has sped up the development cycle significantly. An unexpected vulnerability can stop the development pipeline, at least for a little while, and we are able to avoid that.

It has also helped to increase our fix rate by almost 100 percent. In the past, if it turned out that we had vulnerabilities, we had no time to correct them. We went into production with them. Now, we are able to fix everything, 100 percent, in the development cycle.

In terms of best practices, we have the results from Veracode and then we have a Knowledge Base of the types of vulnerabilities and how they should be corrected by our developers.

Another benefit is that it has helped us with certification and audits. We have a lot of automated reports based on the scans and we can show them to the auditors. That has saved us a lot of money and work.

And Veracode SCA has helped to reduce the risk of a security breach because it finds vulnerabilities as early as possible. It has increased our security and development teams’ productivity because, with the automated scanning, we are able to scan much more than previously. It saves us at least one week per development cycle, if not more.

The recommendations from Veracode have improved our efforts in fixing potential vulnerabilities, and not just finding them. That's important for us because fixing is a very expensive process. If you can save time on that, it is a big help. And SCA’s automated, peer, and expert advice have definitely reduced remediation times, saving us at least a week per development cycle.

Overall, SCA has significantly lowered the risk of vulnerabilities. If we didn't identify them before production, and it turned out that there were vulnerabilities, there would be a big risk. We would have to go into production with them or stop the development pipeline. So it lowers the security risk significantly by doing early scanning. It has reduced our risk by at least 60 percent. It definitely helps create secure software. That is 100 percent important because we are working for financial companies.

It's good that it's cloud-based because we don't have to operate a new IT system for security scanning.

It provides a centralized view across all testing types, including SaaS, DAST, SCA, and manual penetration testing. We now have a central place with overall visibility.

In addition, the mitigation recommendations provided by the scanning engine are good. They are not all perfect, but they are good and usable.

There is room for improvement in the speed of the system. Sometimes, the servers are very busy and slow. Also, because we are located in Europe, it would be a big help if they had a European or national service, because of the regulations, not only because of the speed.

Also, the integration with SonarQube is very weak, so we had to implement a custom solution to extend it.

We have been using Veracode Software Composition Analysis for more than two years.

The stability is good. We haven't had any problems.

The scalability issue is a good question because it's not too fast, but it's scalable because it's cloud-based.

We use it for 10 critical applications.

Their technical support staff is skilled. We have been able to solve all of our problems with them. I wouldn't rate them a 10 because sometimes it's time-consuming to get the right guy to answer our questions. But we always get answers to our questions.

Positive

We used SonarQube because the developers liked it. We also used Checkmarx. We switched to Veracode SCA because of the binary scanning ability. Neither Checkmarx nor SonarQube is able to do that.

The initial setup was very easy. Because it's a cloud-based service, we were able to do it without the help of Veracode. We just read the recommendations and followed them. We had three guys involved, two developers and one security guy.

It took three months to implement. Our implementation strategy was to do a pilot and then everybody in the organization copied the reference implementation.

Our return on investment is due to saving a lot of development hours.

It's too expensive for the European market. That is why, in a big bank with 400 applications, we are able to use it for only 10 of them. But the other solutions are also expensive, so it wasn't a differentiator.

The static cost model is not that important. Veracode works on a subscription model, so we have to pay for it every year. 

We chose Veracode's Software Composition Analysis after we evaluated more than 10 products. Among those we evaluated were Checkmarx, Fortify, and SonarQube. The primary differentiator was the binary scanning use case.

Use Veracode for the special use case of binary scanning, because it is the best in this special use case.

Security Labs is very good as well. We are not using it day-to-day, but it's a good feature.

Veracode helps to prevent vulnerable code from going into production. They are providing remediation support. They provide a specific solution. If a code has any vulnerability, they provide the snippet of that code. They also provide recommendations. Their support team is very active. If you have any concerns related to the vulnerabilities, they schedule a call and resolve your issues. That is very good.

With Veracode, there are fewer false positives as compared to other tools. It provides genuine vulnerabilities. It is also user-friendly. They are not only sticking to SAST testing. They also have pen testing.

The visibility that Veracode provides is good. They provide a proper dashboard for everything. We have visibility into the application status at every phase of development - Static Analysis, Dynamic Analysis, Software Composition Analysis, and Manual Penetration Test. I am satisfied with it. We have not integrated it with our DevOps pipeline, but it has all the features for easy integration.

Veracode helps us to fix flaws. They provide very good recommendations. It is very easy for a developer to fix the flaws. They provide a specific solution.

Veracode has helped our developers save time. It has been very useful.

In my experience, Veracode is one of the most powerful tools available in the market from a security perspective. It is a market leader in source code analysis.

I am expecting some AI-related features in it. Also, if someone is using AI-generated code, Veracode should be able to detect that.

I have more than 12 years of experience working with Veracode. 

It is stable. There are no unplanned downtimes. If they are going to have downtime because of maintenance or any other reason, they communicate that to you a week before. They not only inform you by email. They also alert you through their portal.

Their support is good. I would rate them a ten out of ten. 

Positive

I work with almost all the tools available in the market. Its competitors are AppScan and Fortify. Synopsys is also there, and Checkmark is also there.

Veracode is the best tool as of now. That is because of the quality of the product and technical support. Veracode supports all the testing options.

Veracode is a leading tool in the market for code security. It is all about the source code review from a security perspective. It identifies the vulnerabilities in the source code. Apart from this, they also provide services for run-time code. If you have your application in production, it can also find vulnerabilities in that. They also support software composition. If your application is using a third-party library, they can identify the vulnerabilities in that.

It is straightforward. It is easy to deploy because it is a cloud-based service. It does not take long.

They are a mature company. They have already worked a lot on all the things. They keep on coming up with new features. Their R&D team is very good.

The ROI is in terms of time savings and security. If an attack happens because of a vulnerability, it costs a company and impacts its reputation. No one should be compromising on security.

As compared to others, it is a costly solution. It is overpriced, and many organizations with a limited budget cannot afford it. That is why they are going for other tools, but those tools are not that effective. Veracode is better in terms of quality. If you want good service, you have to pay for it.

I am working at a consultancy, and I did a PoC with five or six top tools in the market. I found Veracode to be the best in every aspect.

I am currently looking for some AI-powered tools. I am exploring the AI capabilities of various tools.

Overall, I would rate Veracode a nine out of ten. With AI capabilities, it would be a ten.

We use the solution for identifying bugs before deployment in the software-side cycle process.

It can be integrated with our CL and CDProp pipeline, and it can be used with multiple integrations in our Visual Studio Code editor. That's the main use case.

We've saved a lot of time since using Veracode. We've also been able to cut down on costs since we require a lot of penetration tests for testing our software. Veracode helps us drastically reduce these costs. We've cut our costs down by 40%.

The solution provides us with a feature that we can directly use with static and dynamic analysis. With static analysis, we can use it while the app is not running, and with dynamic analysis, we can scan our application while it is running. It provides efficiency and also saves a lot of time for penetration testing and bug testing.

The capabilities of the analysis of the code base can help us effectively detect potential vulnerabilities. This is the most valuable feature we found. It can be integrated with multiple code editors, and it can also be integrated with various CI/CD pipelines.

The dynamic analytics is efficient. It helps us identify bugs while the app is running. We find that this ability is way better than its competitor.

Our impression of the solution's ability to prevent vulnerable code from going into production is positive. Prior to Veracode, we used to deploy our apps, and it used to be an expensive process to fix the bugs and all the potential vulnerabilities after deployment. Now, we have access to AI. It has AI tools, which have been trained with a lot of data sets. It helps us to detect bugs and fix them.

We use the free access to VeriCloud's application security consulting team. The consulting team has helped us a lot, and we've had positive experiences with the vendors. It is efficient and very fast. It takes less than two or three days, and they always respond positively. They are really fast at solving our problems. It's important for us to have access to an application security consulting team at no extra cost.

We use Veracode's AI-generated fixes. They make fewer errors and are very accurate. We've had a very positive experience. They've saved approximately seven hours of debugging and error finding versus the manual penetration testing process. 

The solution's policy reporting for insurance compliance with industry standards and regulations is very helpful. It's fast as well. The team helps us at every step of the product life cycle. They provide us with very useful visibility into things like static analysis, composition analysis, and manual penetration. It significantly helps us to reduce the time that we have to manually fix the bugs, and it also provides us with an efficient solution for future cases via past analysis through its data algorithm. We've saved six to eight hours compared to manual fixing.

Veracode has had a positive impact on our organization's ability to fix flaws compared to the prior. It has reduced our costs and time, and it has also provided us with multiple security functions. That, and it's made our application a lot more secure. It really helps our devs free up time due to less debugging needed on their part.

The solution has helped us a lot with our overall security posture. Many security features were fixed prior to release, and we've been able to reduce manpower and employee count. We've reduced teams from six or seven people to two or three. 

The integration capabilities with our existing development tools are very good. The integration process was easy. It has stable APIs.

The solution does take a bit more time when we use it for multiple processes. When we use it for a single process, it takes up less time. The cost also goes up when we use it for multiple processes. 

I have been using the solution for six months.

The solution is very stable. We haven't come across any bugs. 

Our security team of three uses the solution. 

It's great for scaling. We can use it on multiple projects which involve multiple security flows.

Technical support has been very fast and efficient. The team helps us at every phase of the development cycle. 

Positive

We did not use a different solution. Previously, we relied on manual testing. 

We deployed the solution in about three months. We had a team of eight working on the implementation. During the process, I was in charge of, IT was in charge of security, and the AI algorithm.

We don't require any maintenance.

Even after six months, we've seen an ROI. In terms of resources, it's great for cost-cutting. It also generally cuts costs by 40%.

The pricing is moderate for particular processes. However, if we take an entire process in general, it can be costly. It's more economical to use it for single purposes instead of generalizing processes. 

Thanks to its algorithm, Veracode is an on-demand service that can be very cost-effective. With so many features, we no longer require many people to test.  

If they are worried about pricing, people should try out their demo feature, which is available online. That way, they can demo and evaluate how it would work for them. If it works for their team and product, they may find it can optimize their processes. Of course, it depends on the use case. 

I'd advise colleagues considering Veracode to evaluate the specific requirements for their application and do an in-depth analysis. I would recommend it as a product.

I'd rate the solution ten out of ten. 

We use it for security, to analyze our code.

It changes the DevSecOps process because we find flaws much earlier in the development life cycle, and we also spot third-party software that we don't allow on developers' machines.

It's bringing clarity to the flaws that we can mitigate, and that's the main purpose. We can have a brisk conversation about the flaws. Not all flaws need to be fixed because there might be other protection measures implemented.

Veracode has increased our level of security to the highest possible standard, so we have been able to be ISO certified and meet Microsoft compliance. We have met many industrial standards from a compliance perspective by having this high level of security and trust in our application. That applies to our platform as well, because the dynamic analysis has opened up vulnerabilities in the platform.

We are using three of the features. Static analysis, dynamic analysis, and the code composition for third parties. We also use their Security Labs for training.

Veracode does a great job of preventing vulnerable code from going into production, and its policy reporting for compliance is also very good. It meets our needs.

And if you use it correctly and bring early feedback into the developers' environment, it provides visibility into application status at every phase of development. But if you only use it as an analysis after the product has been built, then you don't have the whole life cycle. So it really depends on how you integrate Veracode. For us, it gives full insights.

There might be room for improvement in the in-app guidance and the tips and tricks for the developer about how to progress. We would like more insight into the development environment, where they would get guidance on how to avoid flaws.

I have been using Veracode for the last three years.

We use SonarCloud, which does a different type of analysis on the static code but not on the compiled code. It's a different way of detecting security flaws.

I was involved in the deployment of the solution all the way through, from purchase to acquisition and deployment. It involved a lot of new learning. But we had a very good implementation consultant from Veracode assigned to us who made it pretty simple for us. I don't think we could have done it ourselves.

We did a proof-of-value exercise, which included educating two senior developers. The total implementation time was about two months. We focused on one area of our application and got the scanning process up and running and stable. Then we started applying it to more applications.

We only used two people from our organization to complete the work. Then we educated all the developers about using the extension with the EDI. We then found a person who would be responsible on each delivery team who ensures that their application is maintained within our policy level. Each team is responsible for keeping their application within those standards.

We got help directly from Veracode. I would rate their help at eight or nine out of 10. They helped us implement it into our pipelines, daily processes, and software. And they helped us understand how to mitigate the flaws and how to open up consultation hours if there was something we disagreed with, such as false positives. They gave us very good onboarding and implementation.

From a commercial perspective, the impact that the Veracode certification has had on our ability to sell to large enterprises is non-debatable. The return on investment has been met, for sure. It took six months and occurred when we had finished implementing and got the certification.

We haven't really done any price checks on the competitors.

We purchased a Security Labs license to keep our developers trained in new security practices.

Every development company is different. If someone is looking at Veracode but concerned about the price, it probably depends on their technology stack. There are pros and cons for every decision. As a happy customer, I can say that the service level that I have received from Veracode has been high and understandable every time That also counts a lot. And it's not about the software; it's about how we actually utilize the software best.

We had three or four other candidates from the reports that we evaluated from a user review site, but we ended up deciding to use Veracode because it had the best price and match for our technology stack.

At that time, Veracode's advantage was predominantly because it was SaaS-based software, and the implementation team was very supportive in making sure that we got it properly integrated into our processes.

The false-positive rate is constantly maturing. It's very much based on how many respond back. It's learning based on the false positives. My team thinks that it's better to have a false positive many times than miss a real one. The effect on developer confidence in the solution when fixing vulnerabilities is that it sometimes leads to frustration because they find that it's slowing them down, but the way that the engine is constantly maturing means it is becoming better and better.

I don't think any security or quality analysis tool brings speed. But it increases the quality, both from a risk/security and reliability perspective. But if you're looking at productivity, none of these tools bring productivity. They mitigate risk. It has not made our development process faster.

I use Veracode in multiple places including static code analysis, penetration testing, and dynamic code analysis. It is part of our pipeline and integrates well with Bitbucket and Git pipelines.

The ease of integration with Bitbucket pipelines and Git pipelines is vital for us. Veracode allows us to easily summarize issues and provide quick, actionable insights. It offers confidence by preventing exposure to vulnerabilities and helps ensure that we are not deploying vulnerable code into production.

Veracode can improve the licensing model as it is a bit confusing. 

Additionally, threat modeling and asset management could be made more general rather than very specific.

I have had experience with Veracode for a few years now, at least a couple of years.

I have seen an upward rating of eight or more out of ten. They are very responsive and quick to help with queries within our scope.

Positive

We considered other solutions but have stuck with Veracode due to an enterprise level licensing deal and it serving our immediate important needs.

The licensing model is a little confusing, but we have a good relationship in terms of how it is set up. The pricing and model align with the needs of the developer community and the cybersecurity office.

I would recommend this solution as it is adaptable for threat modeling and penetration testing on contemporary tech stacks. 

Overall, I rate the solution an eight out of ten.

My company produces one of the most secure fabrics that you can find. Veracode is integrated into our development cycle through Jira. We do a full static analysis with Veracode and use Burp Suite to review the findings. The most common attack vector we find in Java code is SQL injection. When SQL injection shows up, you send a screenshot and a report to your executive team. They see the screenshot and say, "Oh, they're seeking injection here." 

This has now become a top priority. We're going to pause all these redundant features that we're making here and ensure our code is secure with no SQL injection vulnerabilities. Veracode finds everything, and the security engineers do the penetration test using the results. You provide a report showing where the issue is, and developers can fix it. We also use Veracode to train security engineers and teach them how to file reports.

My case is different from other individuals. I worked for a startup, so we had to find a way to capitalize on all the resources in Veracode. Larger organizations are not leveraging the built-in dashboard. That aspect is what people want to know about. They want to see how their money is being spent on security. The biggest problem with security is getting funding. None of these executives believe anything these users are saying until they can see the results.

They want that dashboard report. In less than three weeks, a junior security engineer can learn to create a dashboard easily that will allow the organization to stay on top of the most important things. They need to show the stakeholders that we're doing something here. They'll get the certification and see the dashboards. You now have something that's actually worth $2,000. With these other ones, who knows what you'll get. 

It allows us to provide a certificate showing stakeholders and potential customers the proof that we take security seriously. Everyone says that they're on top of their security and have all these things in place. In a sales call, we can immediately respond to any questions about our security posture by pointing them to a link showing that your company was among the few companies that completed the full certification process. Veracode has four levels of certification, and we are at level three, I believe. 

To my knowledge, Veracode is the only real devSecOps pipeline that captures every component of the software delivery cycle, from sandbox and staging to development and production. You need to go through those four phases and ensure the code is secure by the time it hits production. Veracode handles all those phases seamlessly and can be automated with Jenkins.

Veracode is highly efficient at fixing flaws. A single person can go through and do a penetration test after collecting the data from Veracode. Instead of telling developers where the issue is, they can show them in the code editor for the static analysis. They can assign tasks to the team using Jira, so developers almost never need to do that work. They actually almost never go back and fix any of these vulnerabilities. That's why I was my company's most hated and most loved man. I forced them to do it.

I like Veracode's API. You can put it into a simple bash script and run your own security testing from your MacBook in less than 15 minutes. Veracode's application security consulting team is very helpful. They're responsive and follow up quickly. 

Veracode would benefit greatly from more training resources. The videos are great, but I would like more hands-on training writing a script, validating a script with a unit test in a different language, etc. That's something that would be very valuable. 

We have used Veracode for more than four years.

Veracode is highly stable. It very rarely crashes. 

I rate Veracode support 10 out of 10. Their customer support is incredible. If I have any issues, I can immediately connect with their support team and have a real working solution within one week.

Positive

Deploying Veracode is easy. I had the best customer success manager at Veracode helping me. After deployment, Veracode requires little maintenance. 

Veracode is inexpensive and cost-effective. The licensing model is unambiguous. You know what you are getting. They also give you several seats for training. That's why it would benefit them to improve the training because more people could take advantage of it and use certifications. Some certifications for other products don't have much real value, but Veracode is a product many companies use, so it could help people get jobs.

If you're concerned about the cost, you should meet with a representative to talk about pricing. Veracode is flexible, and they're willing to let companies try the platform or test different features. They will work with companies to get to the point where they'll use it.

I used JFrog X-ray with homegrown scripts for testing the code. It was terrible. We chose Veracode because it is more scalable. We could run scans on any code, and it was reliable. Also, their documentation was up to date. With other software providers, you would find an issue in the documentation, and they would backtrack, saying, "Oh, no one's using that." 

Veracode immediately responds to the community. You have people in the community supporting each other and suggesting new features. Software providers say they're open to suggestions. Veracode will quickly get something from the community and immediately put it into development. JFrog has the same stuff as they did four years ago. They haven't changed anything. 

I rate Veracode 10 out of 10. Veracode is constantly changing and improving.