Veracode Reviews

We are quite new to security systems. We have not adopted Veracode at the enterprise level. We are using the GitHub Advanced Security system. We were looking for static code analysis or software configuration analysis tools in the market. That is when we explored Veracode.

We want to centralize our security systems so that any repository that developers are using or creating in our organization follows the same set of standards. We want to have all the security checks and all the static code analysis done at the same level and with one client.

We have had challenges with security because developers come from different organizations and different backgrounds. They have different ways of coding. Based on their experience, they write the code, but there is a very high chance of having vulnerabilities in their code. The PR reviews used to take a lot of time for the reviewer. By implementing such a solution at the enterprise level, we assume that we will save a lot of time for developers and code reviewers because everything will be done by the tool. It will impact us a lot.

Veracode is quite good. It checks the security vulnerabilities in our packages. It discovers them very nicely, but it is not a tool for improving code quality. It does not provide very good static code analysis.

Veracode's policy reporting is fine for ensuring compliance with industry standards and regulations.

Veracode provides visibility into application status at every phase of development.

Veracode saves our developers' time. They are not doing manual PR reviews. It has saved about 20% of the time because we are still in the adoption phase.

We have a lot of confidential data of clients. We do not want our application to be exposed outside. We have configured a code quality gate, so before production itself, it blocks the PR deployment and allows it once all the security checks are passed.

Veracode is one of the tools that helps to verify external dependencies. Veracode helps a lot there.

One thing that I like about Veracode is that it is quite a good tool for dynamic application testing. It is a little bit better than DeepSource and SonarQube in terms of software composition analysis and dynamic application testing. 

When I was looking into it, my initial impression was that it has a good UI as compared to other competitors.

A negative issue I found is that it has a subscription-based model. 

If Veracode can provide static analysis in terms of how we can improve the code quality, it will be quite a good feature.

I have been using Veracode for 2 years.

It is quite stable.

We have not deployed it on our on-premise system, so it is quite scalable. There are no issues with that. I would rate it a 6 out of 10 for scalability.

We have not used their support extensively, but when we were choosing Veracode, I felt that they have a very good support system. The support they provided was good.

Neutral

I also work with SonarQube. I did not switch from SonarQube to Veracode. We are using a combination of both because SonarQube provides good code quality, but Veracode does not. Veracode provides very good dynamic application testing and software configuration analysis, but SonarQube does not. A combination of both is meeting our needs.

Configuring SonarQube at the cloud level based on our requirements is quite challenging. The support is based on the community. It is not something we consider as an enterprise-level tool, whereas this is not the case with Veracode. These things are better in Veracode.

I was not involved in its deployment. I am in the quality team. The DevSecOps team takes care of its deployment. That team has 8 to 10 people.

It does not require any maintenance. Everything is done automatically by the vendor.

Everything was done in-house.

It is too early for that, but Veracode will save us development effort and time. That will be the return on investment for us in the future. We will be able to measure its overall cost-effectiveness by comparing what we are paying for the service and how much developer time it is saving. 

We are still considering it at the enterprise level. It has a subscription-based model. We find its price a little high based on the features it provides. In addition to the standard licensing costs, there are no additional costs.

To someone who is looking at Veracode but is concerned about the price, I would recommend exploring it themselves. They might not need the same features that we need. They might be looking at some other aspects of security. I would recommend exploring it and doing a price evaluation based on their needs. 

We also explored DeepSource for some time, but we did not go for it. The functionality that DeepSource provides is somewhere between Veracode and SonarQube. Veracode was a little bit better, and that is why we went for Veracode.

We do not use the free access to Veracode's Application Security Consulting team, but we are planning to use it. We have not yet used the Veracode Fix feature that produces AI-generated fixes. It is a new feature.

The fact that Veracode does not scan source code, only binary code, does not concern us. We are using multiple tools. Veracode is one of them.

Overall, I would rate Veracode a 7 out of 10. We are still adopting Veracode. We have not gone through all the features that Veracode provides. Its rating would probably increase after a few months of use. I would recommend Veracode to others.

I used Veracode in my previous company. My role was to assist the team in identifying the vulnerabilities in the reports. I identified those and diverted them. The software team was responsible for taking appropriate actions to fix those.

We used Veracode in our environment to have account verifications or transaction confirmations. Apart from that, we had event registration as well as membership confirmation.

Veracode provides visibility into application status at every phase of development. My role was to analyze the vulnerabilities and pass them on to the software team. The severity of a risk was provided by us, and the software team was responsible for mitigating that. It helped us a lot in mitigating the vulnerabilities. We were able to proactively react to anything malicious.

It helped with early vulnerability detection and automated security testing. These were two things for which I usually used to use Veracode.

The static analysis and the dynamic testing methodologies for security vulnerabilities helped us in our development process. It allowed our developers to address issues before they became complex or expensive to fix. That was one of the things that helped us a lot.

Veracode helped us with the Log4j vulnerability. At that time, we relied completely on Veracode.

Veracode helped our developers save time. Proactively fixing the vulnerabilities saved a lot of time. It saved 50% to 60% of the time. Fixing them after the sprint is over takes more resources and time and also costs us. Veracode saved time as well as the cost.

Veracode helped us with the shift-left security strategy, but we did not rely much on Veracode for that because we already had something for that. Veracode was good enough overall.

The scanning is most valuable. The scans given by Veracode are one of the key features that I like.

The integration with DevOps pipelines is seamless. 

The scans were sometimes not accurate in version 2022. There were some false positives in the vulnerability reports. We used to get false positives, and we were responsible for checking all of the alerts and determining whether they were true positives or false positives. They might have already improved it. If they have not, they can look into how to mitigate false positives.

I have used Veracode for almost two years. 

It is stable.

It is scalable. The agents were deployed on about 2,000 machines. For administration, we had a SOC team. It was filler work for them, but we had a team of 13 people.

Dennis from Veracode helped us right from the deployment. If there was any critical task, he used to help us with that. We hardly had to reach out to their support for any issues.

I have used different solutions. I have used Darktrace. I have used CrowdStrike and Carbon Black. In my current company, I am using CrowdStrike.

When I was using Veracode, each agent needed to be deployed on each machine. I do not know what they are using now. CrowdStrike is a single platform with a single agent. You can deploy it on all the machines. That is one of the advantages. Moreover, I have become used to the GUI of CrowdStrike over the last year or so. I am more comfortable with CrowdStrike, but it depends on person to person. I would rate Veracode an eight and CrowdStrike a nine out of ten. I am a bit biased toward CrowdStrike because I am currently using it in my organization. I am not using Veracode here.

I was involved in its deployment. It was super easy. The support that was provided by them was fabulous.

There was a delay from our end. It took us almost 90 days to deploy it, which included approvals and other things.

We had a consultant from Veracode. His name was Dennis. We were satisfied with his job. 

I used it for two years in my last organization, and we saved a lot of costs. It was not related to the product; it was related to the risks that we used to get. On the technology side, it surely saved a lot.

They keep on working on their product. They keep on upgrading that. The threat landscape keeps on evolving, and there are new threats every day. The Veracode team helped us in mitigating and remediating them and guiding us with those particular threats. I would surely recommend Veracode. I even tried to recommend it over here, but I am not one responsible person for that decision over here.

They have recently introduced a feature called "Veracode Fix" that produces AI-generated fixes. I read about it somewhere. It does vulnerability identification and prioritization and some behavioral analysis. It does dynamic analysis of any malware or any abnormal or malicious behavior. It is evolving. One more thing that I read was pattern recognition. The AI algorithm that has been provided recognizes patterns. It can assist in recognizing patterns and trends in security data.

It has policy reporting for ensuring compliance with industry standards and regulations, but we did not use that.

To those who want to use Veracode or any similar solution, I would advise being aware of their environment and security posture and seeing where it fits into their security posture. If they proactively work on the alerts provided by Veracode, they will surely save a lot of money, time, and resources. I would suggest working proactively on the alerts given by Veracode.

Overall, I would rate Veracode an eight out of ten.

My company is a financial and technical enterprise with involvement in healthcare as well. We use Veracode for scanning, utilizing both SAST and DAST approaches. The purpose of static testing is to assess our code for vulnerabilities before deployment. After completing this step and addressing any identified issues, we run dynamic application security testing on the applications we've created to ensure there are no vulnerabilities introduced after the build. These could be issues that arise during the execution of the code, rather than being inherent to the code itself.

Additionally, we are currently considering or in the process of transitioning to Veracode for a specific function known as Software Composition Analysis, which is among the services they offer.

In terms of my use cases, I oversee approximately 200 development teams managing around three to four hundred projects. About 30 percent of these projects are connected to Veracode. Moreover, I manage a user base of over 700 individuals, and many of our build pipelines include immediate SAST scanning during the building process.

We currently use Vericode Cloud, specifically the public cloud. At the moment, I am in the process of deploying two Veracode ISM management servers from their platform. These servers will be responsible for scanning our internal applications that are not exposed to the external world. One significant aspect is that our company decided to transition to the cloud approximately three years ago. Initially, we had 27 data centers scattered worldwide, but now we have reduced that number to five. By the end of this year, we plan to further decrease it to three, and eventually, we will likely have only one or two data centers in the future. However, there are certain things that we cannot migrate to the cloud.

Veracode's ability to prevent vulnerable code from being deployed into production is excellent. It is considered one of the best scanning tools available. We have conducted several comparisons between Veracode and other products in the market, and Veracode consistently ranks first among those we have tested.

With Veracode, the amount of vulnerable code that gets through is almost negligible. When we run a scan, we don't expect to find any significant vulnerabilities because the SAST usually catches almost everything.

Veracode's policy reporting for ensuring compliance with industry standards and regulations is excellent. It is applicable to us as a multinational company with PCI and HIPAA requirements, and we also engage in government projects. Consequently, we are obliged to adhere to any relevant regulations, which is why we have implemented numerous policies that automatically alert us when any action might potentially violate the established guidelines.

Although Veracode can offer visibility into the application's status at every phase of development, we do not rely on manual penetration testing because we have our own testing team. Instead, we use SAST from the moment our developers start typing the code until the deployment phase. 

The visibility has significantly expedited our DevSecOps process. Now that we've integrated Veracode and included it in our build pipelines, we can provide feedback on potential issues and vulnerabilities in their code much more quickly. Our team appreciates and is delighted with this improvement because, previously, we had to wait until the builds were completed, then run DAST and subsequently present them with ten pages of issues, which would take them ten to fifteen days to address. By adopting a left-shifting approach, we've moved the bar further to the left, reaching a point where we can hardly get closer than we are now while they are actively coding. The only way to provide them with even faster information about potential vulnerabilities in their code would be to offer feedback as they type and when they push the code to the main build. Unfortunately, as of now, there are no tools available that can accomplish this.

Veracode has been a great benefit because it allows developers to log in to their code and examine the specific vulnerabilities they were informed about. Typically, there is a description of why and how the vulnerability occurred, along with guidance on how to resolve it. Veracode significantly aids our organization in fixing flaws.

Veracode helps our developers save time. While I cannot provide a precise estimate of the actual time saved, I can explain that the more we shift the SAST to the left, meaning running it as soon as the developers enter their code, the more time we can save. This is because when developers have the code fresh in their minds, they have a better understanding of what they wrote and how to fix any vulnerabilities based on the provided descriptions. On the contrary, if we shift the SAST further to the right when the code is already completed and possibly being reviewed by a different developer, it will take more time for them to understand the original code and the vulnerability's context. Thus, the original developer could have fixed the vulnerability in a shorter period of time. Additionally, considering the learning curve for new developers down the line, it becomes even more crucial to have the original developer fix the vulnerability promptly. If we only run DAST without SAST, we might end up with a long list of ten thousand potential vulnerabilities, which would require weeks of work just to address them all sequentially from the start.

Veracode has had a significant impact on our organization's security posture. When I first arrived, we were only connected to about three different teams. Originally, we only had seven or eight teams. Now, we have almost two hundred teams. One of the most significant changes is that even with those seven or eight teams, only two or so were using Veracode. However, we gradually added more teams as they came on board. Subsequently, there was a major organizational change, and Teams were divided into smaller, more compact, and agile units, which is the new trend in the industry. As a result, the teams are now much smaller, more diverse, and more agile. We are now connected to 70 percent of the two hundred teams. We have expanded considerably, but there is still more to achieve. The efficiencies have improved significantly, and the developers are satisfied with this progress. This shift is excellent for security because we were usually known as the "no people," but now we are transforming into the "yes" and "let me help you with that" people.

Veracode has reduced the cost of our DevSecOps, just from the 25 percent time-saving. The most expensive factor is not computers or technology, but rather, it's people. If I were to add together all of the salaries of the individuals and compare the amount of time saved to the total salary cost, I could cover the expenses for my infrastructure twice over a year. 

The most valuable feature is the SAST capability and its integration into the Veracode pipelines.

From what we have seen of Veracode's SCA offering, it is just average. The SBOM is adequate, but it's essentially the same as what everyone else is doing. In terms of SCA, they are about average compared to other systems. Therefore, I would like to see some improvements. 

SAST, DAST, and SCA in a single pane of glass would be a good upgrade to Veracode.

We are a Jira and Confluence shop and I would like to have a really good integration with those tools. 

We have a ticketing system that not too many companies have ever heard of. In fact, I had never heard of it before coming here. Instead of using a well-known industry standard like ServiceNow, we use a ticketing system called Cherwell, which also has an open API. Having an API for the ticketing system would be really beneficial.

I would prefer if Veracode offered more options for licensing, such as a pipeline or project license instead of a user license. Currently, I have around seven hundred users, but I manage fewer projects. Therefore, I believe it would be more beneficial and efficient for me if Veracode could adopt a project-based pricing model. In reality, I have multiple teams working on various projects simultaneously. Pricing based on the number of projects I have up and running would be more suitable for my needs compared to the number of developers working on a particular project.

One thing that I would like to be able to do is to receive a daily summary of the emails I currently receive. With numerous ongoing projects, constant scanning occurs, resulting in a high volume of emails about what is being processed. I believe it would be helpful if Veracode could create a daily summary of these emails. This way, I can easily track the number of actual emails I receive without having to go through each one individually. As of now, I already have 65 emails from Veracode, specifically regarding the processes that ran today.

I have been using Veracode for three years.

I have almost never seen any downtime with Veracode.

The scalability is excellent because we utilize Veracode on their cloud infrastructure, and we handle dozens of projects daily.

I've never had a problem that didn't get solved, or at the very least, get immediate feedback. So, I would say their technical support is very good.

Positive

I previously utilized a solution provided by IBM in my previous organization, but later we transitioned to a company named WhiteHat Security. The reason for this switch was that when we conducted a scan using the IBM solution, it returned a result of ten thousand vulnerabilities. It was my responsibility to review the vulnerability report and clear out any false positives. However, this task was extremely time-consuming, taking nearly forty hours to complete. The reason behind the prolonged effort was the spidering scan performed by the IBM solution, which continually traversed different pages through various links, leading to repetitive errors that required matching and deduplication. Out of the ten thousand vulnerabilities, approximately a thousand were legitimate, and the scanning capability was limited to DAST. To address these challenges, we migrated to WhiteHat Security. With WhiteHat's scanning process, the number of vulnerabilities was reduced significantly to around six or seven hundred. Their approach outperformed my manual efforts in identifying duplicates and further eliminated non-duplicate vulnerabilities that were caused by the same piece of code.

When I joined my current company they were already using Veracode.

The initial setup was straightforward. We connected to the Veracode cloud, so essentially, we are operating on their public cloud. Whenever we run any process, we send our code to them. They execute it, and we receive feedback from the execution.

I have not been involved in the initial deployment of Veracode, but I have been involved in deploying the pipelines, creating and building out the ISMs, and also administering users. Recently, we moved and integrated it with our single sign-on. Since we're using Okta, we performed the integrations, and now everyone connects through Okta.

We utilized a value-added reseller, and they provided integrators themselves. Additionally, we have direct connections with Veracode. So, my understanding is that we likely received assistance from both the value-added reseller's team and Veracode.

We have monthly calls with Veracode. I work directly with engineers and have access to their email addresses and telephone numbers. This way, whenever there's a problem or an issue, I can easily reach out to someone. Additionally, I receive almost daily emails regarding recent developments and occurrences.

We have seen a return on investment. We have two hundred teams, and approximately 70 percent of them are integrated with Veracode, running pipeline scans on about 50 percent of those. The remaining teams conduct manual SAST scans instead of using pipeline scans. We have likely saved 25 percent or more of the time it takes developers to go from a startup project to the final build and deployment, just by addressing vulnerabilities.

We pay based on the number of developers working on a particular project.

Our organization evaluated four or five different solutions before selecting Veracode. The issue with the others was that they only offered either SAST or DAST, but not both, whereas Veracode provides both.

I would rate Veracode an eight out of ten. Veracode needs to improve its SCA capabilities to become a market leader rather than a market follower. Another noteworthy area they are starting to focus on is container security. I assume they will compete with Laceworks and other companies in that domain, which makes it worth keeping an eye on.

Veracode's software build of materials feature is integrated into the software composition analysis, which we are currently exploring for utilization. However, at this time, we are using a third-party product for that purpose.

Veracode's false positive rate is very low based on what we have found. However, there are instances where it becomes confused, identifying one type of vulnerability when it is actually a different type that appears similar. Nevertheless, we always conduct verifications before approving a list of vulnerabilities for the developers to address. We thoroughly go through and verify at least most of the different types to ensure their validity. My team verifies the false positives, so the developers almost never see them. Because we don't encounter many false positives, we don't spend a lot of time fine-tuning policies. We'll make some minor adjustments, and it should mostly resolve the issue until we encounter a different type of false positive. Then, we'll have to address it separately.

One of the other things that I have observed recently is a tool called Veracode Fix. We have not examined it yet, but it's worth considering. Normally, we avoid implementing too many automated fixes because sometimes they end up causing even more issues, particularly when dealing with legacy code while transitioning to Veracode. Allowing automation could potentially lead to the application being permanently shut down, especially in cases like Software Composition Analysis and Software Bill of Materials where we may need to upgrade to a different or less vulnerable, open source piece of code. If we upgrade without ensuring compatibility with our existing setup, it could break numerous things. Hence, we previously attempted to use automated fixes, but the outcome was negative, and we have decided never to repeat that mistake. Therefore, it's something we plan to explore, but we need to ascertain if there have been any changes in that type of setup.

For someone who wants to use Veracode but is concerned about the cost, the amount of time saved, especially on the SAST side of things, makes it worthwhile.

We are a multi-cloud organization primarily using AWS, with 25 percent of our infrastructure on Azure and a smaller portion on Google Cloud. We are currently using Google services only because we are a Google shop rather than a Microsoft Office shop. As a result, all of our emails are managed through Google, and we rely on Google Docs and other related tools. 

There are four architects and a group of DevSecOps professionals who work directly with the development and operations teams. They form the security component of the organization and are responsible for operating Veracode on a daily basis. Their primary role is to assist the developers in integrating Veracode into their workflows, setting up pipelines, and collaborating with them when vulnerabilities are identified. They are available to help the developers understand why they received a vulnerability and guide them on how to address and eliminate it.

The only maintenance we will have to deal with is related to the ISM servers. These ISM servers are actually controlled by our company. There is an on-prem link to the Veracode cloud. When they conduct their scan, they access the server, which acts as a jump box. This enables them to scan our internal applications that do not have direct access to the outside world.

Veracode is a good Dynamic Application Security Testing tool, but it excels as an outstanding Static Application Security Testing solution for organizations that prioritize serious security measures.

We use Veracode to identify vulnerabilities in code to ensure the security and integration of the apps.

Veracode effectively identifies vulnerabilities within the code. My role is to analyze these vulnerabilities and assign a severity level before forwarding them to the development team. This allows them to address the issues before deployment to production.

Whenever Veracode releases a new feature, we seek the expertise of Veracode's application security consulting team to understand its functionality and how it contributes to code security. The team demonstrates exceptional responsiveness and promptly addresses our questions, eliminating the need for unnecessary back-and-forth communication.

In today's digital world, cybersecurity is more important than ever. Veracode offers a comprehensive suite of features that help developers secure their code through automated scanning. This scanning identifies vulnerabilities and detects malicious code, preventing it from entering production.

Veracode has helped reduce our time to remediate security flaws.

The policy reporting for ensuring compliance with industry standards and regulations has been positive for our organization.

Veracode provides visibility into application status at every phase of development.

It has been instrumental in enhancing our organization's ability to fix flaws while simultaneously reducing our manpower requirements allowing us to focus on other issues.

Veracode has helped our developers save 20 percent of their time.

Implementing Veracode has significantly bolstered our security posture. We can uncover more vulnerabilities and streamline our detection process. We've become more proactive in identifying and addressing security threats. This allows us to focus on building secure applications with confidence.

Veracode has proven to be a solid choice for our organization's shift-left security strategy, compared to other solutions like Darktrace.

To ensure secure software from development to deployment, we leverage Veracode throughout our CI/CD pipeline, enhancing our app security at every stage.

Veracode helps us prevent vulnerable code from entering production, strengthening our third-party application security.

Among Veracode's features, vulnerability scanning stands out for its effectiveness in identifying and remediating security weaknesses, ultimately mitigating threats to our applications. 

The integration capabilities have positively affected our existing development tools when integrating with other cloud solutions. It is easy to integrate and the support team is helpful during the integration process.

Veracode helped improve our compliance posture with our existing solutions.     

The automation of Veracode is great because we no longer have to run manual testing. 

The weekly report logs are great because we can address any vulnerability issues that are detected quickly.

Veracode runs comprehensive scans and links the vulnerable code to the weekly reports identifying what services are affected and forecasting the next steps.

The GUI requires significant simplification, as its current complexity creates a steep learning curve for new users.

I would like Veracode to introduce more sophisticated AI features.  

I have been using Veracode for one year.

I would rate the stability of Veracode nine out of ten.

Veracode supports scaling up whenever we want to keep up with our growing app portfolio.

I would rate the scalability of Veracode eight out of ten.

The experience I had with their technical support has been great.

Positive

I recently changed companies, and my current employer does not use Veracode. However, I have discussed implementing it with them because it offers more mature features compared to other solutions.

The initial deployment took around four months and required five people.

Veracode is affordable for large organizations, but its pricing may be out of reach for small and medium companies.

I would rate Veracode an eight out of ten. Veracode's pricing hinders my overall rating of the solution. 

Veracode was deployed in two regions with 25-plus users.

Veracode requires some maintenance to keep the scanning accurate.

While I highly recommend Veracode, affordability for smaller organizations may be a significant hurdle due to its pricing structure. It's crucial to carefully evaluate their budget constraints and explore alternative solutions if necessary.

My use case for Veracode is for a front-end application, specifically an agent compensation calculation engine. That application is deployed through an EAR file, and then Veracode scans the EAR file and gives me the scan report to help me change and improve the file for future deployments.

What I found most valuable in Veracode is that it gives me a part-by-part report of the entire EAR file and lets me set up the application for a limited time. For example, I'm running an application via the dev ops pipeline. Hence, I need to create a pipeline application and a sandbox to connect with Veracode and then add my application. When you create a sandbox, you can create it full-time or for a limited time, so I created it for a limited time. Once that expires, Veracode allows you to automatically renew it, which is one of the features I find remarkable in Veracode.

I also like that for each integration in Veracode, there's documentation.

I also find the Veracode support team extraordinary because the team goes above and beyond to ensure you get the best experience.

I find Veracode essential in preventing vulnerable code from going into production because if there's a vulnerability, the solution finds it. For example, my code has many JavaScript front-end and EAR files with some vulnerabilities. Right now, I'm deploying my code, but in the future, I may have to improve it and change it to ensure the servers are secure, so in that way, Veracode becomes more important for the industry today.

Policy reporting in Veracode is good in terms of ensuring compliance with industry standards and regulations. I like that the solution is more flexible when working with applications, mainly because my organization has a good firewall. Veracode is flexible and allows the organization to connect to the firewall in various ways. The Veracode policy is flexible and has an entire page and record that connects with my application, industry, company, and server in different ways. It does not disturb my policies so that I can get my application to work.

The false positive rate for Veracode is about seventy-thirty because it gives the most accurate report. For example, my organization depends on the Veracode analysis to ensure the code is on point, so the organization is building the next BI based on the Veracode analysis.

Veracode has also helped my organization save time because, without the report, the development team would spend a lot of time figuring out what is wrong and why the application is vulnerable. Veracode points out what is happening and why the file size must be reduced, so it helps reduce mistakes in terms of time.

An area for improvement I found in Veracode is the connectivity because currently, my company uses a plugin for the dev-ops cloud-based connectivity. A pretty helpful feature would be if Veracode gives a direct code for connecting to the Oracle server directly and authenticating it via a unique server. Currently, my organization has to find a roundabout for that and then needs to build a separate pipeline and then connect that pipeline for Veracode to start.

I've been using Veracode for the past two months.

Veracode has always been stable. It has good stability.

I found Veracode scalable because it supports a variety of platforms. Though the support for other platforms is less, Veracode has been incorporating more support over time and offering other solutions as well.

If you're unable to set up the solution, the Veracode team has a consultation call to help you set up the solution. The team would even raise set-up-related issues with the Veracode engineering team, which was how I reached Veracode Technical Support, which was a good experience.

I found Veracode Support extraordinary. I've been having an issue for the past month, and the team reached out to me and has been working with me for the past month, giving me various solutions to figure out how to solve the issue. It turns out it was a firewall issue, and I just had to go to the back-end and allow the back-end application, and now it is working fine.

The Veracode Support team was helpful and escalated my situation from level one to level two to level three, and finally, had the appropriate team reach out to me based on my issue. Then, within the span of two weeks, the team finally figured out the issue I was facing and gave me the final results and how I could fix it, so I found support good, fast, and responsive.

Overall, I had a pleasant experience with Veracode Support, so I rate support as eight out of ten.

Positive

I didn't use a previous solution before Veracode.

I wasn't involved in the initial deployment of Veracode.

I have no information on the pricing or licensing cost for Veracode.

I've not used the Software Bill of Materials in Veracode.

I'm unsure how the false positive rate affects developer confidence in Veracode on fixing vulnerabilities because I'm more of a DevOps user and don't work on development but automation.

I'm also unsure of the effect of Veracode on my organization's ability to fix flaws because I've not used it directly to fix any flaws. I report to the dev team, who then takes the report and fixes the flaws accordingly.

I'm unsure of the impact Veracode had on the overall security posture of my organization, as I didn't use it for that.

In my organization, Veracode has a hybrid cloud deployment.

The solution doesn't require any maintenance.

My rating for Veracode, overall, is eight out of ten.

What I'd tell others looking into buying the solution is that as far as DevOps is concerned, Veracode is a must-have. It's been helpful for my organization DevOps-wise, though I have no information on other Veracode offerings. I recommend that others buy Veracode.

My organization has a business relationship with Veracode. It's a Veracode partner.

We use Veracode for its code analysis features, which include static code analysis, dynamic code analysis, and checking for security flaws in our code. Mainly, we utilize Veracode for application security, making code security one of our primary use cases.

Since implementing Veracode, we have seen significant improvements in our code's security and the overall code development process. Veracode has been instrumental in enhancing our code security and streamlining the development workflow. In the past, we relied heavily on third-party applications that were not directly aligned with our codebase. However, now we can seamlessly integrate Veracode into our application process, saving a substantial amount of time. Veracode has not only improved our security setup but also enhanced the overall security of our organization.

Before implementing Veracode, the same process that used to take one hour now only takes 15 to 20 minutes.

Veracode's policy reporting for insurance compliance with industry standards and regulations is good. We can integrate numerous reports, and the positive reporting feature is also highly commendable.

Veracode provides visibility into the application's status at every phase of development.

Veracode works very well overall, and our security has been greatly improved, significantly impacting our ability to fix flaws.

The security process has been improved. Before using Veracode, we used to perform it manually. However, at that time, there was no application that could be integrated with the code. Now, with Veracode, we can directly integrate it with our code. As a result, security checks are being done automatically, saving us 30 to 40 percent of our time.

Veracode offers various security features. Veracode performs the analysis using three different methods: static analysis, dynamic analysis, and software composition analysis. These security features are the best, and the most valuable features.

Veracode's ability to prevent vulnerable code from going into production is commendable. However, we have encountered numerous cases of false positives that need improvement.

The technical support service has room for improvement. There are times when we rely on them, but we are not receiving an adequate response.

The stability has room for improvement.

I have been using Veracode for one and a half years.

Veracode is stable, but there is room for improvement.

Veracode is highly scalable. We have not had any issues with scalability. 

Before I joined my organization, they used a third-party application to check code. Since I joined, we have been using Veracode.

The initial setup was somewhat complex. The deployment took a couple of weeks because we needed to resolve numerous technical issues that we had to understand first. We had six people involved in the deployment.

Veracode's price is reasonable.

I would rate Veracode an eight out of ten. I recommend Veracode to others.

Veracode's false positives significantly impact our developers. When we encounter numerous false positive cases, we are required to conduct extensive reviews. How much it affects our developers depends on the number of false positive cases we are encountering and the significance of addressing them concerning the criticality of writing the code.

Veracode can save time in our DevSecOps process, but it may not significantly reduce costs.

Organizations that have security flaws in their code and seek to enhance their core security can consider Veracode as one of the best options for investment. Veracode is easy to implement and can effectively address the flaws in the code, provided that cost is not a significant concern.

Maintenance is required from time to time, specifically regarding false positives. We need to verify whether the system is functioning properly and communicate with the support team. The intervals for these checks occur after approximately 30 or 60 days, which we have selected, and we must strive to improve the system during these instances.

Veracode is deployed at two locations within our organization.

We use Veracode for static code analysis scans for our clients.

Veracode is deployed both on the cloud and on-premises.

Veracode helps prevent vulnerable code from being deployed into production by identifying problematic code. It enables us to send a report to the application developer, allowing them to address the vulnerabilities based on their criticality level. The developers are given six months to address medium-level issues and three months for critical ones. If the criteria are not mapped with the higher critical alerts present in those applications, we can enforce the build field and proceed without deploying it into production.

Veracode has helped improve our customers' organizations through the scanning taskbar, which identifies vulnerabilities in code. We have worked with ten clients, all of whom used Veracode to identify vulnerable code early in the development stage and resolve the issues. Additionally, Veracode offers Greenlight ID, which developers can integrate into their development process, providing clarity during the development phase. Veracode can also generate reports that developers can resolve, facilitating the quick resolution of security concerns.

The policy reporting for ensuring compliance with industry standards is excellent. The report helps us maintain our compliance.

It offers visibility into the application's status at every phase of development, including static analysis, dynamic analysis, composition analysis, and manual penetration testing throughout the Software Development Life Cycle.

Visibility aids the DevSecOps process by offering a clear framework for all involved departments, including the steps for handling severities.

Veracode assists our clients in addressing flaws by simplifying the process. The security team can review the code, approve or reject it, and developers can utilize the reports to promptly rectify the flaws.

It assists developers in saving approximately 20 percent of their time, primarily in the static part, as they no longer need to review all the code. Regarding the dynamic part, Veracode scans all the URLs, eliminating the necessity for developers to use additional tools. For third-party dependencies, developers depend on the reports and the Greenlight ID plug-in to streamline their workflow and save time.

Our clients depend on Veracode to improve their security stance.  

The CI/CD integration is the most valuable feature of Veracode. This feature is not present in other solutions.

The analytics dashboard is not user-friendly and can be improved to assist us with the application size and enable modifications, whether for static or dynamic scans. This is currently missing in Veracode.

Veracode needs to improve its integration with other tools.

We have requested an enhancement for Veracode because it does not support scanning the static and dynamic elements of code created by MuleSoft. Furthermore, it does not support these aspects for the new generation of applications and we have to use other tools.

I have been using Veracode for over seven years.

If there is an issue, I am unable to access all the logs due to insufficient permissions, which causes delays.

Veracode is scalable. To increase the scale, we simply need to increase the number of licenses.

The technical support team's response time is inadequate. Typically, they fail to provide assistance beyond the initial call due to the limited knowledge and inability of the first-level support to resolve issues effectively. I have been dealing with a single issue for three weeks without any resolution.

Neutral

The vendor handles the deployment, and we simply need to install the ISM agents on our network. The deployment time depends on the size of the application. Large applications may take up to five days to scan, but on average, it takes one or two days.

The pricing depends on the functionality each client desires. For example, one of our clients only wishes to scan two applications, so they pay for that specific service in addition to our organization's third-party access to their system.

I give Veracode an eight out of ten.

20 to 30 percent of the false positive rates are vulnerabilities. Sometimes, almost 50 percent of the reports are false positives, which affects the time spent on tuning policies.

The false positives increase the amount of time our developers need to spend investigating the reports. 

Veracode offers static analysis, dynamic analysis, and composition analysis all in one place.

We are a team of five individuals who assist in deploying and managing Veracode, along with handling other tasks.

Our client base varies depending on their budgets, but we serve a large number of organizations in the financial industry.

I recommend Veracode. The solution is on par with the others, and organizations can read the reviews and run some tests before making a purchase.

Our primary objective when using Veracode was to ensure the security of website development and other application developments we were working on. We aimed to prevent any security breaches and also closely monitor any potential vulnerabilities that could arise from code deployment. Fortunately, we were successful in identifying and addressing these vulnerabilities. 

Although the responses were somewhat mixed, we managed to go two years without a single security breach, which was a significant achievement. In addition to monitoring security breaches, we utilized Veracode for continuous monitoring. The difference lies in the fact that once the code is deployed and access to the server is initiated, there is a high possibility of connecting to a different server or encountering interference from unauthorized individuals. This continuous monitoring allows us to observe each step of the server, including the IP addresses and protocols, and ensure their proper functioning. Veracode facilitated us in carrying out this monitoring effectively.

Veracode's ability to prevent vulnerable code from entering production is remarkable. We were once alerted that there was a possibility of a breach occurring. Despite spending hours pondering the issue, we were unable to determine how that possibility existed. After discussing with the support team, we eventually learned the cause. Therefore, in terms of detecting vulnerabilities, it was excellent. However, the problem arose from the fact that it was not well-customized for our organization. Consequently, there were multiple instances where flags were raised for our IP address or email, which we knew were not vulnerabilities. In such cases, we had to address them accordingly.

Veracode's reporting feature provides comprehensive insights into the security status of our code or application. These reports generated by Veracode offer visibility into vulnerabilities and different severity levels of threats that may be present. They also recommend remediation steps to address these issues without extensive code modifications. I find this reporting feature valuable. Additionally, Veracode regularly releases updates, sometimes multiple times a day, ensuring that we are consistently up to date. Although this requires my engineers to work extensively on integrating AWS services with our platform, it is one of the standout features of Veracode due to the recommendations and frequent updates it provides.

Veracode's policy reporting for ensuring compliance with industry standards and regulations is on the mark. Everything was proceeding as it should, with adherence to the established procedures, protocols, and reporting mechanisms by both the organization and the support team. At no point did we feel that the industry standards were compromised.

Veracode provides visibility into the application's status at every phase of development. Primarily, we were only conducting two types of tests. One was continuous integration, which keeps track of the entire application's deployment process. It detects any defects and ensures a smooth deployment. The other test we used to perform at certain times was manual integration. We would delve deeper and test additional aspects because we wanted to ensure with utmost precision that there were no vulnerabilities when deploying the application. Hence, we also had to manually utilize this program before deploying or pushing it to the code.

When conducting the cost-benefit analysis for Veracode after six months, we discovered that there were actually only two significant security breach possibilities. With the assistance of the solution, we were able to detect and resolve these breaches. The most significant advantage provided by the solution was the assurance that no breaches were occurring outside of the office. Any potential risks were either determined to be false alarms or promptly addressed. Therefore, the only actual breaches we encountered during the six-month period were two. However, we also gained a sense of security, which I consider to be a worthwhile trade-off for the cost.

Speaking specifically about the security department of our company, there was a notable reduction in costs after the introduction of Veracode. However, when considering the broader scope of all the development departments, we not only had to invest more time in each project but also had to hire additional resources. Consequently, when taking into account all the departments collectively, the overall expenses increased. However, focusing solely on the security development department, there was a substantial decrease in costs, approximately $7,000 per month.

The recommendations and frequent updates are the most valuable features of Veracode.

The false positive rates were quite high in our case. Prior to seeking a solution, we had already engaged in discussions with their support team, who also confirmed this issue. We had read a few reviews, which indicated the presence of false positives. However, in our specific situation, the number of false positives was substantial. There were instances when we logged in during the morning and encountered 30 or 40 raised flags. Resolving them sometimes occupied a significant portion of our day, often extending into the first half. Thus, in certain projects we undertook, the occurrence of false positives was considerably elevated. Despite being aware of this, we acknowledged that a majority of these flags were likely false. Nonetheless, due to the matter of security, we had to address them, resulting in a significant allocation of our time.

The false positive rate of the static analysis has impacted the time we spend on fine-tuning policies. We have had to allocate a considerable portion of the software team's time to address the significant number of false positives, resulting in substantial time investment. Additionally, some of our projects with clients have been delayed due to this issue. One particular project experienced a delay of approximately 25 days, with false positive cases accounting for an estimated 60 to 75 percent of the delay. The cost of the false positive rate is causing a slight disruption in the development process. Therefore, I believe this is the major area that needs improvement.

We initially deployed on the AWS cloud because AWS also offers us additional security benefits and most of our other solutions were already on AWS. However, I think Veracode could develop a self-contained cloud system, allowing them to deploy the solution on their own system. This would be beneficial for us as they could provide the data privacy we require. It would be great because each new update on the security process necessitates a slight change in the program.

The reporting features could be subcategorized if the bugs are categorized and subcategorized according to our requirements rather than the understanding of the security system. This would be beneficial because whenever we need to integrate or resolve a bug, it is crucial for us to identify the vulnerable parts of our code. This process requires additional time and effort. Moreover, it is often challenging for us to comprehend the specific changes the system expects from us.

I have been using Veracode for two years.

The stability of Veracode, in my opinion, was not very reliable considering the need to consider false positive readings. We had to invest a significant amount of time rectifying or addressing those inaccurate queries, which made it a less-than-ideal solution.

I believe the solution is scalable. I remember a time when we were working with four clients in total. Even though our agreement with Veracode was not to exceed three projects, we were able to manage that, and everything went smoothly. They were even able to implement registration. This probably occurred due to significant delays in one of our projects. I was able to onboard the next client, which means we were working with four clients at that time.

The technical support team is knowledgeable. In the initial stages, when our team lacked the technical capability to perform manual configurations on our own, they assisted us with that. Overall, the experience was satisfactory. Nothing extraordinary, but it was good.

Positive

The initial setup was fairly straightforward, although it did take us some time. Our team lacked the necessary technical capabilities since it was a new endeavor. Before Veracode, our company didn't have any other security measures in place. Since it was a new concept, our employees also had a technical knowledge gap, which required some time for learning. However, the deployment process, on the whole, wasn't overly technical. It was done in two or three stages. The first stage involved initial queue meetings to understand the configurations we were using for deploying the code. The subsequent meetings focused on understanding the features we desired, how they would be implemented, and accessed, and their frequencies. Following that, the tech team took over and handled the deployment for us.

Six engineers were involved in the deployment, although the entire working team comprised twenty-two people.

The implementation was completed in-house.

It is quite challenging to calculate ROI. However, I can confidently state that over the course of two years, we did not experience a single security breach. Furthermore, we ensured that our solutions were free from any vulnerabilities when delivering them to our clients. As a result, we established a positive reputation with our clients, as evidenced by the certification from Veracode, confirming the absence of vulnerabilities in our overall feature or code deployment. In summary, we maintained a flawless record of zero security breaches. Despite the difficulty in conducting a cost-benefit analysis, it remains an essential task.

I believe the price is fair according to market standards. However, if we are anticipating a growth phase in the enterprise, it might be a bit costly for us. On the other hand, if we are currently making profits and aiming to stabilize ourselves while improving our solutions and working with our existing team, it suited us well during that period. We were focused on developing the final product, refining protocols, and enhancing overall product development processes for our brands. Therefore, I believe it was a good fit for us. However, organizations that are in a growth phase may want to consider other options, even if it means compromising slightly on the security aspect.

We previously evaluated other solutions. One of the primary reasons for choosing Veracode was the ability to configure it at a deeper level, which was not possible with the other solutions. Another advantage was that the other solutions did not offer a six-month trial period, unlike Veracode. We initially had a trial for six months, which was later extended to one and a half years. Therefore, pricing became the third factor. However, even at the end of the two-year subscription, we were unable to conduct a thorough cost-benefit analysis. This seems to be a common situation in the industry. Without experiencing a breach, it is difficult to assess the cost-effectiveness of a solution.

I give Veracode a nine out of ten. I believe that, in general, Veracode is a good product. False positives and these types of issues can be found in almost every security product out there. The best part was Veracode's technical team. They were proficient in their knowledge and there was never a moment of misunderstanding between our team and theirs. Overall, Veracode ensured that we did not encounter any ransomware or security breaches at any point in time.

Our DevSecOps team was involved in two stages of the entire process. The first stage was during the initial design phase of the specific application build. We had to determine when and where we wanted to manually interpret using the tool, as well as identify potential security breaches that required close monitoring. This was the initial step. Following that, our team proceeded with development, which typically progressed smoothly in collaboration with the client for a period of two to three weeks. As we approached the deployment phase, we would once again discuss with their team to determine specific points where DevSecOps would manually deploy the solution for testing purposes. Afterward, we would assess the solution from our end.

The false positive rate did not have a negative effect on the confidence of our development team. It was made very clear to us by Veracode's support team, as well as through other reviews and conversations with clients, that there would be a possibility of false positives being raised. We had to go through them because we cannot afford to miss out on any potential security breach.

I don't believe Veracode has helped us save time. Overall, if we consider the larger context, saving time was not a direct expectation communicated by Veracode. Their expectation was solely to prevent any security breaches. Regarding time-saving, I don't think Veracode has provided any assistance in that aspect.

At the end of the day, we were essentially thinking of transitioning to a new solution, primarily due to the high number of false positives we were receiving from Veracode, we conducted a cost-and-benefit analysis specifically for Veracode. We discovered that, overall, it prevented our solution from being breached for more than six clients. Considering our annual client turnover rate is approximately twelve to thirteen, Veracode played a significant role in addressing a substantial portion of our challenges.

I recommend negotiating with Veracode for a free trial period. We frequently engage in negotiations to secure a six-month trial. A trial will assist in comprehending the intricacies. While there are benefits, it is important to note that the time required for each project will naturally increase. It is crucial to understand how Veracode operates and determine if it aligns with the company's needs. However, regarding pricing, I am confident that Veracode delivers as requested.

Veracode functions solely within the development department, but within the department itself, we have a division based on the two types of clients we deal with. One type is primarily focused on development, while the other is focused on procuring or conducting quantitative analysis for the markets.

For general everyday maintenance, only two people are involved. However, for monthly maintenance, approximately six people from our end are involved, and I am unsure of the number of people from Veracode's end.

I would advise speaking with other clients like us who have already used Veracode. Prior to that, however, we need to understand what kind of security breaches are possible in our solution and determine how much of our money and time we want to allocate to addressing them. We should assess the importance of these breaches to us. Once we have this understanding, we can discuss with other clients how the overall process went and how much time it actually takes. The final step would be to directly contact their team and negotiate for a longer trial period. The best decision we made was to initiate a six-month trial with Veracode and then transition to full-time usage.