Veracode Reviews

Veracode helps us identify bugs and flaws in our code while operating it. We use the solution's static analysis feature to analyze code before running applications dynamic analysis that scans the app while it's running.

We typically run Veracode at the end of the development phase when we are ready to launch our software. We also scan for vulnerabilities after the software goes into production. It's the final phase of our development cycle.

Veracode has reduced the amount of time we spend manually investigating our code. It has also enabled us to identify and fix bugs earlier, so we don't need to release patches after a product is launched. 

The false positive rate is quite low, which is critical. If it had a high false positive rate, it would be difficult to trust this software. We can discover lots of errors and bugs manually, but this software enables us to clear any error or compliance issue with a low false positive rate. It's highly efficient in that sense. We can trust the process, so we spend less time investigating issues manually.

In one development cycle, Veracode usually saves us four or five hours of human work that goes into checking the code, finding errors, and fixing them manually. The remediation is also built into the software.

Veracode is easy to use even if you're not a security professional. I like the dynamic analysis feature, which offers a lot of cost savings when used in production. Veracode helps prevent vulnerable code from entering production, and it has a low false-positive rate, so it can reliably find real vulnerabilities. 

The software bill of materials feature has proven helpful in finding bugs and flaws that may cause problems in our product when we launch it. It has helped a lot to exponentially reduce the cost after the launch cycle. It is quite easy to create reports and perform a detailed analysis because much of the process is automated. It can fix most issues automatically.

The scanning could be a little faster. The process is around three or four minutes, but it would help if it could be further reduced.

I have used it for four months.

We haven't experienced any downtime since we started using it. It is highly stable. We haven't seen any server crashes from their side. 

Veracode can handle lots of processes, so I would say it is scalable.

I rate Veracode support eight out of 10. The response times are fast. If we have a problem, they respond within four or five hours. 

The setup process was straightforward, and the Veracode team guided us through the deployment, which took about four or five hours. It only takes one person to install the solution. It doesn't require any maintenance after deployment. 

Veracode has eliminated a lot of manual security processes that cost a lot of money and time. It has saved us lots of time and money for development.

The cost of scanning code is cheaper. It's typically $0.50 per line of code. However, it's expensive to run a high-level process that would normally require a human security expert.  For example, penetration testing costs about $1,000 per application for penetration testing. The cost of these features may be too high for smaller organizations. On the other hand, Veracode's interactive application security testing is fast and cheaper compared to other software. 

I rate Veracode nine out of 10. If anyone is considering Veracode, I suggest trying a demo beforehand so that you can see how it addresses the kind of problems your organization is facing and how it works with the programs you are creating. 

Our primary use case for Veracode is to secure our software development lifecycle. It's deployed in a couple of countries and connected to multiple applications. It's used by five development teams, each of which has a different focus, such as digital channels, CRM, ERP, backend deployment, and billing. We also have a team that coordinates all of the efforts of the secure development policies. That team sets the guidelines and policies. The entire development team has about 20-30 people. 

Veracode has sped up the development cycle, helping us bring products to the market faster. I work at an IT services company with hundreds of customers who have various needs for different kinds of tools. That doesn't mean we use Veracode for all our customers, but for certain customers, it's critical because the solution reduces the amount of time needed to prevent and detect issues. Bringing secure applications into production is essential. 

We can't just rely on our development teams to make, test, and manually review the code. We need powerful tools that provide a strong framework for detecting vulnerabilities and scanning application components. Penetration testing is the most important because hackers break into the application and access the information. 

Dynamic analysis is also crucial for web applications, which can be risky. Veracode can dynamically detect vulnerabilities and block traffic. It is sometimes hard to differentiate real users from hackers. Dynamic analysis must be implemented with a user-sensitive perspective. 

I work in Latin America, and there are regulations on information security and the use of customer information. The most vital areas are things like health information and finance. You can face penalties for failing to protect customer information, so it's critical for us to secure our code during development. Any vulnerable code or application component can risk disclosing customer information from customers and allowing an outsider to penetrate the systems or databases.

Veracode offers visibility throughout the entire development lifecycle. SecOps is an essential framework inside the organization currently because we need to deliver applications to market faster while improving code quality. It's crucial to be careful when using code generated by community sources. We need to test the final applications and also the components and packages in any code repository we use. 

We're deploying complex pipelines and utilizing CI/CD. For example, Veracode is important when connecting management tools, code repositories, and various cloud components. Having that integration and capacity to connect to various tools in the DevOps framework is vital for the DevOps team. Every business must decide its risk tolerance and set a threshold of vulnerability permissions in the application to detect. It's really powerful if you can configure the threshold correctly. 

Developer confidence depends on their capacity to understand, and Veracode has to detect vulnerabilities and provide suggestions for correcting them. Sometimes it's an upgrade; sometimes not. It also provides different kinds of information to the developers. 

Veracode has had an enormous impact on our ability to detect flaws. It's risky if we don't have the capacity to detect vulnerabilities in the earliest stage of development before the applications go into production. It's also an important time-saving tool. It reduces the time spent manually addressing vulnerabilities by about 20-30 percent. 

I like Veracode's static analysis. It was one of the core development tools when I worked with a telecommunication company where we were delivering new features for various applications and purposes each week, such as CRM, data channels, compliance, traffic data, etc. 

Most of the time, the key thing was to ensure the security of digital channels and reduce the risk of any breach that could cause a security issue. It's critical to maintain the security of sensitive information transferred from our customers to the sales staff. Keeping that data secure is important for the customer relationship and also for compliance and recurring sales.

I rate Veracode 10 out of 10 for its ability to prevent vulnerable code from entering production. It has a lot of useful and intuitive features. In previous settings, static analysis was one of the primary use cases, but dynamic analysis is also helpful. Veracode is highly valuable because one vulnerability could result in service downtime or worse: a leak of customer information. 

The investment in the tool is justified because we can detect and prevent vulnerabilities much earlier in the process. Software composition analysis is also vital when we use open-source middleware or backend components for business-critical functions like bringing information from one source to another or connecting one application to another. 

Veracode can improve the price model and how they bill the final offer to customers. It's based on the amount of traffic. For example, you can buy 1 gigabyte distributed across various applications, and each one can consume part of the whole allotment of traffic data. 

You pay for all of the time that the tool is running, not for the number of scans. There are specific rules governing the amount of traffic applications can consume from the allotment you have. I would like the pricing to be more personalized. For example, some companies don't have a large budget for this kind of tool, whereas a large enterprise can acquire this kind of solution and pay for it. However, I'm an IT consultant working with various types of customers in different industries, including finance, insurance, and telecommunications.

I started using Veracode at least three years ago.

Veracode is a highly stable platform. I haven't experienced any service disruption, and the performance is solid. 

I've used Veracode in a telecommunication company with a huge environment and more than a hundred applications. I don't have experience with smaller-scale use cases, but I know the cloud is quite scalable. 

I rate Veracode support nine out of 10. We get support from the resellers and direct support from Veracode analysts. We call the support team or the architect when there is a serious technical isssue. 

Positive

I haven't used a commercial tool like Veracode before. It depends on where I'm working, but the most common tool we use is an open-source solution called SonarQube. 

Veracode is straightforward to deploy. It's not hard to connect it, and we had support from a local vendor to help us integrate it into our dev lifecycle. It required only one person from my team. 

We had assistance from our local reseller, and the experience was great because we had a direct connection from the partner to the brand. We have a local team member who was in charge of the resell process. 

We calculate the return on investment primarily based on the risk. We calculate the ROI annually, but it's not very detailed. We factor in the risks associated with the loss of customer information loss, penalties for noncompliance, etc. In the worst-case scenario, we estimate that could potentially lose up to $1 million annually. 

The licensing model could be more flexible, and Veracode could be more accessible to smaller enterprises. We obtained Veracode through a consultancy. Veracode sets the price through consultation with our reseller, but I have yet to get a direct quotation without any other reseller in the middle. If you are worried about the price, I would say that you could request more information and do a trial, then see if you can negotiate an offer. 

We decided to use Veracode without comparing it to any other kind of solution, we had a kind of consultancy from one of the companies, the IT services company that was one of our partners, and they worked close to us, and we selected Barracuda the tool that we needed.

I rate Veracode nine out of 10. It's an excellent solution for securing the development lifecycle. I recommend starting with a trial and getting in touch with the account team to explore all of the different features. 

Veracode is our primary tool for identifying and resolving security flaws in our web-based applications. When I started at Advantasure, I worked on a claims product, using the tool to remedy coding issues and identify high-risk security flaws. I did that for a while before transitioning to a role as an application security engineer. In this job, I don't fix any security flaws. I help operate the environment. 

We have integrated Veracode with Jenkins so that we can automate building and scanning code. Jenkins uploads the build to Veracode for static and SCA scanning. 

I'm working remotely through a VPN. When I log into Veracode, I check the various applications out to ensure everything's running. If we have any issues, I report them to the appropriate teams. 

We are in the health insurance industry, so compliance with security and privacy regulations is essential. Veracode is the industry standard. We use Veracode when we do internal audits and that sort of thing. You won't be in business for long if you don't have an industry-standard static security tool.

I have only worked at this company for two years, so I can't comment on what it was like before I joined, but Veracode does a good overall job of interfacing with us and giving us advice about areas we can improve. The company has used Veracode for a while, so it's not about improving per se. It's about maintaining and learning to use the tool better or making better use of dynamic scans. Our security doesn't depend on one feature. We're implementing multiple features, such as static and dynamic scans. 

Their policies are relatively helpful for compliance. The policy configuration tool works well. We try to use one policy to cover all our applications. Once we've configured the policy correctly, it does an excellent job of applying that to each application and ensuring compliance. Veracode provides good visibility, and the reports are integrated, so we get insight into each type of scan.

Veracode's false positive rate is decent overall. The biggest challenge isn't a C or C++ call, but it's tricky to follow the data flows when using a web interface. You get a few false positives every once in a while. 

I always tell our developers to verify all false positives because Veracode cannot follow your code flow. It's up to the developer to follow the code flow and check whether it's a false positive. The initial report is an excellent place to start. I don't think the false positives affect developer confidence. I never hear anybody complain about false positives.

The biggest challenge isn't Veracode; it's getting our developers to be compliant. Our organization is undergoing some changes, and we must remind the developers to do their jobs. As an application security engineer, I struggle to get developers to do these tasks because they don't want to do them. At the end of the day, the false positive rate doesn't affect developer productivity.

Veracode doesn't really help developers save time because we're already a mature organization. Their support team has helped us optimize our scan configuration significantly. Regarding the regular developers' goals, we have existing documentation and hold meetings with them. They do support consultations when developers have an issue. 

I like Veracode's static scanning and SCA. We use three static scans, software composition analysis, and dynamic scans. We haven't used dynamic scanning as much, but we're trying to integrate that into our environment more. 

For the most part, we've had good luck with the static scans as well as the software composition analysis scans. Veracode does a decent job of catching most vulnerabilities from making it into production, but it doesn't catch everything.

I have a few pet peeves and minor areas of irritation. Their customer success team does an excellent job, but getting their internal engineering team to do things isn't easy. They seem to lack a focus on maintaining the solution and improving it in the next generation. 

It's a common problem in the industry. Software developers are always thinking about the next big thing but lose sight of what's happening right now. If you have an idea for a feature request, you must submit it to be voted on by the Veracode community. I don't like this. No one will look at it unless enough people vote for it. 

Another issue we have concerns entry points. You must select the entry points for a static scan of your stuff. However, you can fix this by having templates in  Jenkins. Things can sometimes change, confusing Veracode. I want to lock those entry points in. Eventually, our DevOps team will create templates for everything. If I want a new template, I need to submit it to the community and get my peers to vote on it. It's a waste of time. 

I have used Veracode for two years.

I've been impressed with Veracode's stability. The solution doesn't go down often. The dynamic scans went down the other day, but that was a problem with the infrastructure, and AWS rarely has outages. Overall, it's dependable. 

We haven't had any scalability issues with our current scan volume, but we're a medium-usage client. We have more than 30 static scans and 12 to 15 dynamic scans and don't seem to have issues with performance. 

I rate Veracode support 7.5 out of 10. Overall, our technical support is decent.  You have to find someone who works well with you. My biggest challenge is dynamic scanning and getting up to speed on that. You must find out who's good and stick with them as much as you can. 

Neutral

Our ROI comes mainly in the form of compliance. We get a star rating when we're automated, and we need to maintain that. We currently have a fairly high rating, so it's not so much about gaining stars. We need to avoid losing them. By maintaining our high rating, we can also gain more clients. 

Veracode is expensive, but other solutions cost as much, if not more. For example, Rapid7's dynamic scan tool was at least as expensive as Veracode, and Rapid7 wasn't willing to negotiate. We are a reasonably large user. 

It's a fair price. If you're worried about getting your money's worth, you could ask Veracode for a trial license and compare it to other tools in terms of pricing versus features. That's how I would do it. It's crucial to do your homework. At this point, we're somewhat locked in and won't change unless we find something significantly cheaper or better. 

The company looked at other options, and we try to do one-stop shopping when possible. We looked at other tools like Rapid7 but decided against doing a proof of concept because it doesn't offer static analysis. I don't think they could do software composition without static analysis. 

We could use Rapid7 for dynamic scans, but then we would have issues with report integration. One of the primary reasons we use Veracode today is that they have solid support. They typically respond to almost any ticket within 24 hours. Veracode also does an excellent job of integrating its various tools for static scanning, dynamic scanning, etc. 

At the end of the day, we stay with Veracode primarily because of the solution's integration. Our license is up this year, and we currently have no plans to seek out another vendor. We may consider switching next year.

I rate Veracode seven out of 10. Before you evaluate Veracode or any other solution, you need to sit down with other specialists and decision-makers to develop some criteria. See if Veracode will give you a free trial license, and start testing it out. You can also check Gartner. 

In our company, we have various projects, and before beginning the development process, we utilize Veracode to scan the repository for any potential security issues. For instance, if we are using a third-party API or client dependency, such as a payment system, we require a third-party dependency. Once we have implemented this feature and scanned it using Veracode, any security vulnerabilities or code issues are highlighted. It is imperative that we resolve any Veracode issues to ensure our build is successful. To solve these issues, we may need to upgrade the version of our dependencies or investigate any security issues with the versions we are currently using.

The code is checked for any security issues, as well as any potential code issues or code smells that could cause major critical blockers. In this context, blockers have the highest priority, and if any are identified, they must be addressed urgently. The bugs or code smells are analyzed, and priority or severity is assigned accordingly. Dependencies used in the code are also checked for security issues.

Veracode's ability to prevent vulnerable code from being deployed into production is crucial. Typically, if a dependency we use has security issues or concerns, Veracode suggests upgrading to a more secure version. For example, if we're using a PayPal dependency with version 1.3 and it has a security bug, Veracode suggests upgrading to version 1.4 which fixes the issue. We usually make our project compatible with version 1.4, but sometimes Veracode recommends removing the dependent code altogether and adding the updated dependency from another repository. Veracode provides suggestions for resolving security issues and we implement them in our code after resolving any conflicts. We run the Veracode scan again and if it fails, we do not deploy the code to production. This is critical as it ensures that security issues such as bugs and fixes are addressed.

Veracode consistently assists us in identifying security issues in third-party dependencies, while also ensuring the maintenance of code quality. Preventing security bugs and threats in our code improves the overall code quality of our company, which is essential given the significant concerns surrounding security today.

Veracode's policy reporting is helpful for ensuring compliance with industry standards and regulations. Veracode's solution plays a major role in achieving compliance, including HIPAA compliance. Without Veracode scans, identifying security threats and third-party dependencies would be a tedious task for DevOps professionals.

Veracode provides visibility into the status of our application during every phase of development, including continuous integration and continuous development CI/CD pipeline stages. This includes builds, package creation for deployment, and various enrollment stages such as develop, queue, stage, above, and production enrollment. Prior to each stage, a Veracode scan is run. This can be accessed through Jenkins or the CI/CD pipeline by clicking on the Veracode scan option, which provides a detailed report highlighting any security issues and concerns.

Veracode performs statistical analysis, dynamic analysis, software composition analysis, and manual penetration tests throughout our software development life cycle. Veracode scans not only for third-party security issues but also for possible issues in our own code. This occurs in every phase of development, including the SDLC. For example, if we use an encryption algorithm with a private or public key that is easy to decode, Veracode will identify this as an error or warning in the report and suggest using multiple layers of encryption for the keys.

The entire CI/CD process is part of DevOps. Therefore, the responsibility of configuring the Veracode tool usually falls on the DevOps professional. It is essential to integrate Veracode with the CI/CD pipeline within the project to ensure it is always incorporated. Whenever there is a priority or mandatory check required before deployment, Veracode should run beforehand. This integration is carried out by our DevSecOps team.

Veracode's false positive rate is good, as it helps us identify possible security concerns in our code. In my opinion, it is advisable to run a Veracode scan on all codes. I have worked in the IT industry for five years, and I have observed that Veracode has been implemented in every project I have worked on. If a tool is improving our code quality and providing us with insights into potential security issues, it is always beneficial to use it.

The false positive rate boosts our developers' confidence in Veracode when addressing vulnerabilities. Veracode also provides suggestions when there is a security issue with a dependency in version 1.7, prompting us to consider using version 1.8, which does not have security issues. This process involves the developers, and it leaves a positive impression on our managers and clients, demonstrating our commitment to security. We can show them that we were previously using version 1.7 but updated to version 1.8 after identifying the security issue with Veracode's help. Unfortunately, there is no centralized platform to check for network issues or problems with dependencies and versions. Veracode provides a centralized solution where we can scan our project and receive results.

Veracode has helped our organization address flaws in our software and automation processes. Its positive impact has been reflected in our ROI, which increased when we started using Veracode. Without Veracode, we would be susceptible to security issues and potential hacking. However, after implementing Veracode scans, we have not encountered any such problems. It is critical for us to use Veracode because we capture sensitive data such as pharmacy information for real-time users, including patient prescriptions and refill schedules. This sensitive data could pose a significant problem if our code or software has security vulnerabilities. Fortunately, Veracode scans allow us to prevent such issues.

Veracode has helped our developers save time by providing a solution that eliminates the need to manually check for dependencies or search the internet for information on which dependencies have issues. Instead, Veracode provides a detailed report that identifies the issues and recommends the appropriate version to use. Using Veracode ensures the quality of our code and also saves time for our developers. In my career of five years, Veracode has helped me resolve code issues eight times.

Veracode has reduced our SecOps costs by identifying security vulnerabilities in our code. Without Veracode, if we were to go live with these issues, it could result in a breach of our encrypted data, potentially causing significant harm to our organization. This would require significant time and cost to resolve the issue and restore the data. Veracode has improved the quality of our code and reduced the risk of such incidents occurring, thereby minimizing their impact on our organization.

The most valuable feature is detecting security vulnerabilities in the project. This is especially important when choosing third-party dependencies since we may not be aware of any potential security concerns or issues in the code. Veracode can help identify security issues in third-party dependencies, including code fixes and bugs. By focusing on our own security issues, we can also address potential security issues in third-party dependencies. Before going into production, we typically conduct a record scan in each department to ensure security measures are in place. 

The scanning process for records could be faster and there is room for improvement in Veracode's performance. Currently, it takes around 25 to 30 minutes to scan a standard repository, even for a small one. This is not ideal, especially since we are using a microservice architecture with eight repositories. If each repository takes 25 minutes to scan, it would take a significant amount of time to scan all of them. Therefore, I would like to see some performance improvements in Veracode to reduce the time it takes to scan our code and generate detailed reports.

I have been using the solution for two years.

The solution is stable.

Veracode is scalable but the performance can be slow when running scans so the larger we scale the slower it can be.

The initial setup, including Veracode configuration, is straightforward. During setup, we only need to provide the repository path and specify the type of project, based on the chosen technology. We also need to indicate where the project dependencies are located, with prioritization for Java projects and placement in the NPMRC file for node.js or Java security projects. Overall, the process is simple and straightforward.

The implementation was completed in-house.

We have seen a return on investment.

I give the solution a nine out of ten.

All coders should have Veracode since it helps prevent security issues in applications, thereby safeguarding critical data. As we know, all applications contain sensitive information. If we only store some of our data online, we have to rely on applications that meet industry standards and compliance requirements. Veracode can help achieve these standards and compliance. To ensure this, Veracode must be set up to scan and integrate with the Jenkins CI/CD pipeline.

We capture the health and pharmacy data of users, so Veracode is deployed in various countries and running live. We have over ten million users.

I worked as a security tester for a service-based Indian IT company. I had the admin right on the application where I used to provide access to other developers so they could execute unit-level tests directly from their console. There are many types of security testing activities, such as false positive analysis or looking into the code from a secure point of view, getting the mitigations done, and then retesting the applications.

We initially had more than 15,000 vulnerabilities. Veracode helped us to regulate all the teams. I gave the consult level access and a basic level of access to developers. My manager and I trained the developers in secure coding practices.

DevSecOps is a process that helps improve security in software development. From a DevSec perspective, it is a great way to improve security in software development. However, from a DAST perspective, it is not as good because the results cannot be easily integrated into the CI/CD pipeline. Integration with Jenkins is seamless. It didn't make much of a difference for us, but it could be different for other applications of the latest technology. Veracode has the feature of issue creation in the Jira portal itself. For example, if we're scanning an application and Veracode reports 15 issues after the security scan is complete, the solution will automatically create Jira tasks related to security, which can be assigned to the appropriate developers. Veracode is good from that perspective, but it needs more evolution. The solution needs moderation because if by some chance a big module or issue pops up, we could get 10,000 issues. That would be a real complication from the Jira point of view.

When it comes to false positives, I used Veracode for two-and-a-half years and it has been fine and fair.

When our developers find a false positive it doesn't make much of a difference. They are just happy knowing what is wrong and right. Developers know how to code, but they don't know secure coding. We are generally there to guide them and most of the time, I used to do the false positive analysis by myself and not leave it to the developers. The developers would get a refined and concrete number of vulnerabilities to quickly work on. In some cases, the developers also find issues that we missed because we have to work on multiple applications at once.

I don't believe there's any cost related to the machine-learning side of Veracode, but it takes a lot of time because SaaS issues are those that couldn't be resolved by a junior or intermediate-level developer generally. Most of the time, these issues are resolved by people with five-plus years of experience because there are security issues. To understand the security complications, we need to have some knowledge of the architecture and design levels of the application. If we don't have design-level information, it's difficult to correct. Without a senior-level developer to guide us, it can cost us a lot. The senior resources getting deployed could be used elsewhere for more development activities. However, the mitigation is provided by Veracode and the detailed report is very good.

Veracode has helped fix flaws affecting our organization by making the applications a lot more secure.

We use a code review-based tool, so the unique aspect of Veracode is that it is really good for legacy or old technologies. It can scan old databases and old code written 20 years back.

Depending on the technology we are working with, the solution's ability to prevent vulnerable code from going into production whether it is Java-based code or ASP.net, the efficient number of identification codes is the best in the market for legacy technologies. I would use Fortify or Checkmarx to test accordingly using the latest code.

The best feature I like about Veracode is the ability to give low-level access to accounts. The identity access management system is really good and we can even integrate it with the ID. For example, if we're coding in Eclipse or something similar we can push the code from the ID directly into Veracode's backend to have its security tested. It is cloud-hosted and the downtime is very minimal. We could check the results anywhere, anytime. This makes the platform's independence very good. 

The solution provides visibility into application status at every phase of development. We can see and make adjustments accordingly at each level.

Veracode is a great solution for old applications. I would only recommend Veracode for older applications.

One of the most important areas that need improvement for Veracode is its DAST. Veracode's DAST engines are primitive. They need to work on that. It needs to be their number one priority.

The number of vulnerabilities and quality of the latest technology when compared to other scan engines such as Fortify and Checkmarx is not as good.

Veracode has multiple sides when it comes to dynamic testing. They offer software composition analysis, dynamic scans, and static scans. However, I would not recommend Veracode for dynamic testing because it wasn't able to scan many of our applications properly. Some of the other solutions were really efficient and proactively reported a lot of vulnerabilities. The Veracode scanner was not able to properly scan the applications because of authentication issues and login issues. HP Web Inspect and Microfocus Web Inspect allow us to make scripts by ourselves, which will then enable the scanner to scan the website in a more proper and systematic way. There were a lot of complications with Veracode's dynamic point of view, and a negligible amount of vulnerabilities were reported. On the other hand, when I tried Next Parker or Micro Focus Web Inspect, things were really good.

If we have to scan the latest code, for example, if we have written a piece of code in Angular or Node.js, we can't consider the solution because it is not as good as other solutions using newer code.

I have been using Veracode for two and a half years.

Veracode is stable, but every now and then something breaks. From a stability standpoint, I would give the solution a seven out of ten.

Veracode is scalable. I give the scalability a ten out of ten.

The technical support is really slow. Their availability is sparse. It sometimes takes two months to have a resolution.

Negative

I started my career with Veracode, a DAST review tool. I worked there for two-and-a-half years.

The solution is not deployed on our systems. It is cloud-based and only requires logging on.

The requirements for the code determine whether Veracode is the best option or not. If the code is 15 to 20 years old, and it is very important, then Veracode is the best option. If the code is very new, then I wouldn't want to spend any money on the solution. It all depends on the requirements.

There is a fee to scale up the solution, which I consider expensive.

We did POCs and collaborated with Fortify, Veracode, and Checkmarx to see who gives the best results for all the applications. Veracode gave the best results, so we chose them for our organization.

I give the solution a six out of ten.

Veracode has not directly helped our developers save time. There was no interaction between the Veracode team and us, so it was minimal whenever some issues such as false positives are reported by the solution. There were some issues with the Veracode engines a few times that required customer support to resolve.

I used to go to Veracode's website and log in. It was updated automatically, and I could access it from multiple devices. I'm not sure which cloud they were using, but it was managed by Veracode.

We have around 18 people using Veracode and two of them are administrators.

Veracode is accessed via a website on the internet. Their backend team takes care of any maintenance that is needed.

We use Veracode to scan the applications.

Veracode's ability to prevent vulnerable code from entering the production environment is good.

Using Veracode's ASC team is easy. I can send them an email and arrange a call from the app. They were helpful when I had issues or questions about using the app.

Free access to the ASC team is a significant advantage because they possess in-depth knowledge of the product and are readily available for assistance.

It is innovative when it comes to features.

Veracode helps our organization with security scanning. We realized the benefit of Veracode as soon as it was deployed.

The policy reporting is valuable because it provides two key benefits: first, it generates a security score for our application. Second, it offers comprehensive reporting that details both the vulnerabilities found and the potential risks they pose to our application.

Veracode can provide visibility into application status at every phase of development.

It assists our application team in fixing flaws by identifying issues and guiding the team toward resolving them.

Veracode helps our developers save time by ensuring the code is secure.

Veracode helps us improve our overall security posture. When a Veracode report shows no vulnerabilities, it indicates a strong security position. This allows the security team to sign off on approvals more efficiently, as a clean Veracode report is a key factor in their evaluation process.

Veracode is a valuable tool for a shift-left security strategy. It helps save overall development time, money, and effort by identifying and resolving security vulnerabilities early in the development lifecycle.

I find Veracode's SASD feature to be the most beneficial because it enables us to proactively identify security vulnerabilities in our application code before deployment. This static analysis helps ensure a secure application rollout across all environments.

The scanning takes a lot of time to complete.

Veracode offers comprehensive visibility into application security throughout the development lifecycle. However, due to cost constraints, we are not currently utilizing all available analysis types.

I would like Veracode to introduce infrastructure as code scanning.

Instead of relying on emails, it would be beneficial if Veracode offered a built-in tool for logging and managing issue tickets.

Veracode sometimes performs maintenance without notifying clients in advance, which can cause disruption.

I have been using Veracode for two years.

For the most part, Veracode is stable but there are times when we have downtime due to maintenance that we are not informed of.

I would rate the scalability of Veracode nine out of ten.

Technical support has been great at fixing any issues I've had.

Positive

My client in the banking industry previously used Black Duck before switching to Veracode.

Veracode's end-to-end testing offers a significant advantage over other solutions by providing a comprehensive security solution. This includes capabilities for static analysis, dynamic scanning, and even penetration testing. However, the cost associated with dynamic scanning and penetration testing may deter some clients from utilizing these features.

I don't have firsthand knowledge of Veracode pricing, but based on client feedback, it seems to be expensive with additional fees for certain features.

I would rate Veracode eight out of ten.

Maintenance is performed by Veracode.

During a Veracode evaluation, consider the following factors: Evaluate the time required for Veracode to complete a scan. Faster scans allow for quicker feedback and integration into development workflows. Consider the overall cost of Veracode, including licensing fees and any associated charges for scans. Assess Veracode's orchestration tools, particularly its compatibility with your existing CI/CD pipeline. Ideally, Veracode should offer seamless integration for easy adoption. Evaluate the availability and variety of connectors Veracode offers for integration with your development tools. A wider range of connectors simplifies the integration process.

We use Veracode for static application security testing, dynamic testing, and software composition analysis. My company's engineering team has about 50 people who use Veracode across multiple product lines. 

The main benefit of Veracode is that we can deliver better, more secure software. Our customers also trust Veracode. When we share the Veracode report, they see that we have gone through all the due diligence.

Veracode aligns with SOC, ISO, and other types of certifications. It helps with compliance that Veracode has all these reporting formats. The solution provides visibility at every stage of development. We have automated almost everything through integration with Jenkins. As soon as the developer commits, it triggers the static scan for the main branches. We don't need to trigger the scan manually or do a follow-up to see if it's done scanning. 

The solution saves time by reporting issues and recommendations that help developers fix the reported vulnerabilities faster. I estimate that it improved developer productivity by about 10 percent.

Veracode has good support for microservices, and I also like the sandbox environment. For example, when introducing a new component, we can scan it in a sandbox environment. It will not impact the main environment. When our team fixes it, they. can push it to the production environment when the results are acceptable. 

The solution effectively prevents vulnerabilities from entering production. We've drastically reduced our third-party VAPT-reported issues. Before Veracode, the third-party VAPT analysis reported hundreds of issues per application. Now it's down to about 20, and Veracode can address most of them.

The interface is one thing I find a little challenging. Veracode's interface feels a little outdated compared to other solutions, and it could be modernized. I'm mostly happy with the features, but Veracode could add Docker image scanning. 

I have used Veracode for about six years.

Veracode seems stable. I don't recall facing any issues. 

Veracode is scalable.

I rate Veracode support eight out of 10. They are quite good at responding to issues. 

Positive

We tried AppScan and Snyk.  From an integration perspective, Snyk is a little better integrated with our pipelines and ticketing system. 

I can't recall the deployment well, but I think it was straightforward. Veracode requires no maintenance after deployment. 

I have not calculated the return on investment, but I think it's at least 200 percent. 

We aren't paying the listed price. We get some discounts, but we get a lot of value from it regardless of what we're paying. We look at the overall cost of what we would spend without a tool like Veracode. The longer you delay fixing security vulnerabilities, the more it will cost you during the later stages. By integrating it into the development cycle earlier, it helps to keep total costs lower.

We evaluated multiple scanning solutions before choosing Veracode, and we perform a mandatory comparative analysis annually. Veracode's scanning engine is more innovative and provides a more detailed analysis relative to Snyk and AppScan. It performs much better in terms of the number of issues discovered. 

I rate Veracode 10 out of 10. When implementing Veracode, you need to develop a workflow or a process. It becomes easier if you have that in place. For example, you can create a workflow where you scan inside the sandbox and approve those fixes before moving to production. 

Also, you should have separate people for raising issues, remediation, and approval. That way, you will have some control over which issues are mitigated and for what reason. That process flow has to be set up properly. Another aspect of successful implementation is automation. Your team needs to invest time in automating and embedding scanning in your pipelines. 

My company produces one of the most secure fabrics that you can find. Veracode is integrated into our development cycle through Jira. We do a full static analysis with Veracode and use Burp Suite to review the findings. The most common attack vector we find in Java code is SQL injection. When SQL injection shows up, you send a screenshot and a report to your executive team. They see the screenshot and say, "Oh, they're seeking injection here." 

This has now become a top priority. We're going to pause all these redundant features that we're making here and ensure our code is secure with no SQL injection vulnerabilities. Veracode finds everything, and the security engineers do the penetration test using the results. You provide a report showing where the issue is, and developers can fix it. We also use Veracode to train security engineers and teach them how to file reports.

My case is different from other individuals. I worked for a startup, so we had to find a way to capitalize on all the resources in Veracode. Larger organizations are not leveraging the built-in dashboard. That aspect is what people want to know about. They want to see how their money is being spent on security. The biggest problem with security is getting funding. None of these executives believe anything these users are saying until they can see the results.

They want that dashboard report. In less than three weeks, a junior security engineer can learn to create a dashboard easily that will allow the organization to stay on top of the most important things. They need to show the stakeholders that we're doing something here. They'll get the certification and see the dashboards. You now have something that's actually worth $2,000. With these other ones, who knows what you'll get. 

It allows us to provide a certificate showing stakeholders and potential customers the proof that we take security seriously. Everyone says that they're on top of their security and have all these things in place. In a sales call, we can immediately respond to any questions about our security posture by pointing them to a link showing that your company was among the few companies that completed the full certification process. Veracode has four levels of certification, and we are at level three, I believe. 

To my knowledge, Veracode is the only real devSecOps pipeline that captures every component of the software delivery cycle, from sandbox and staging to development and production. You need to go through those four phases and ensure the code is secure by the time it hits production. Veracode handles all those phases seamlessly and can be automated with Jenkins.

Veracode is highly efficient at fixing flaws. A single person can go through and do a penetration test after collecting the data from Veracode. Instead of telling developers where the issue is, they can show them in the code editor for the static analysis. They can assign tasks to the team using Jira, so developers almost never need to do that work. They actually almost never go back and fix any of these vulnerabilities. That's why I was my company's most hated and most loved man. I forced them to do it.

I like Veracode's API. You can put it into a simple bash script and run your own security testing from your MacBook in less than 15 minutes. Veracode's application security consulting team is very helpful. They're responsive and follow up quickly. 

Veracode would benefit greatly from more training resources. The videos are great, but I would like more hands-on training writing a script, validating a script with a unit test in a different language, etc. That's something that would be very valuable. 

We have used Veracode for more than four years.

Veracode is highly stable. It very rarely crashes. 

I rate Veracode support 10 out of 10. Their customer support is incredible. If I have any issues, I can immediately connect with their support team and have a real working solution within one week.

Positive

Deploying Veracode is easy. I had the best customer success manager at Veracode helping me. After deployment, Veracode requires little maintenance. 

Veracode is inexpensive and cost-effective. The licensing model is unambiguous. You know what you are getting. They also give you several seats for training. That's why it would benefit them to improve the training because more people could take advantage of it and use certifications. Some certifications for other products don't have much real value, but Veracode is a product many companies use, so it could help people get jobs.

If you're concerned about the cost, you should meet with a representative to talk about pricing. Veracode is flexible, and they're willing to let companies try the platform or test different features. They will work with companies to get to the point where they'll use it.

I used JFrog X-ray with homegrown scripts for testing the code. It was terrible. We chose Veracode because it is more scalable. We could run scans on any code, and it was reliable. Also, their documentation was up to date. With other software providers, you would find an issue in the documentation, and they would backtrack, saying, "Oh, no one's using that." 

Veracode immediately responds to the community. You have people in the community supporting each other and suggesting new features. Software providers say they're open to suggestions. Veracode will quickly get something from the community and immediately put it into development. JFrog has the same stuff as they did four years ago. They haven't changed anything. 

I rate Veracode 10 out of 10. Veracode is constantly changing and improving.