Veracode Reviews

Our primary use case for Veracode is to secure our software development lifecycle. It's deployed in a couple of countries and connected to multiple applications. It's used by five development teams, each of which has a different focus, such as digital channels, CRM, ERP, backend deployment, and billing. We also have a team that coordinates all of the efforts of the secure development policies. That team sets the guidelines and policies. The entire development team has about 20-30 people. 

Veracode has sped up the development cycle, helping us bring products to the market faster. I work at an IT services company with hundreds of customers who have various needs for different kinds of tools. That doesn't mean we use Veracode for all our customers, but for certain customers, it's critical because the solution reduces the amount of time needed to prevent and detect issues. Bringing secure applications into production is essential. 

We can't just rely on our development teams to make, test, and manually review the code. We need powerful tools that provide a strong framework for detecting vulnerabilities and scanning application components. Penetration testing is the most important because hackers break into the application and access the information. 

Dynamic analysis is also crucial for web applications, which can be risky. Veracode can dynamically detect vulnerabilities and block traffic. It is sometimes hard to differentiate real users from hackers. Dynamic analysis must be implemented with a user-sensitive perspective. 

I work in Latin America, and there are regulations on information security and the use of customer information. The most vital areas are things like health information and finance. You can face penalties for failing to protect customer information, so it's critical for us to secure our code during development. Any vulnerable code or application component can risk disclosing customer information from customers and allowing an outsider to penetrate the systems or databases.

Veracode offers visibility throughout the entire development lifecycle. SecOps is an essential framework inside the organization currently because we need to deliver applications to market faster while improving code quality. It's crucial to be careful when using code generated by community sources. We need to test the final applications and also the components and packages in any code repository we use. 

We're deploying complex pipelines and utilizing CI/CD. For example, Veracode is important when connecting management tools, code repositories, and various cloud components. Having that integration and capacity to connect to various tools in the DevOps framework is vital for the DevOps team. Every business must decide its risk tolerance and set a threshold of vulnerability permissions in the application to detect. It's really powerful if you can configure the threshold correctly. 

Developer confidence depends on their capacity to understand, and Veracode has to detect vulnerabilities and provide suggestions for correcting them. Sometimes it's an upgrade; sometimes not. It also provides different kinds of information to the developers. 

Veracode has had an enormous impact on our ability to detect flaws. It's risky if we don't have the capacity to detect vulnerabilities in the earliest stage of development before the applications go into production. It's also an important time-saving tool. It reduces the time spent manually addressing vulnerabilities by about 20-30 percent. 

I like Veracode's static analysis. It was one of the core development tools when I worked with a telecommunication company where we were delivering new features for various applications and purposes each week, such as CRM, data channels, compliance, traffic data, etc. 

Most of the time, the key thing was to ensure the security of digital channels and reduce the risk of any breach that could cause a security issue. It's critical to maintain the security of sensitive information transferred from our customers to the sales staff. Keeping that data secure is important for the customer relationship and also for compliance and recurring sales.

I rate Veracode 10 out of 10 for its ability to prevent vulnerable code from entering production. It has a lot of useful and intuitive features. In previous settings, static analysis was one of the primary use cases, but dynamic analysis is also helpful. Veracode is highly valuable because one vulnerability could result in service downtime or worse: a leak of customer information. 

The investment in the tool is justified because we can detect and prevent vulnerabilities much earlier in the process. Software composition analysis is also vital when we use open-source middleware or backend components for business-critical functions like bringing information from one source to another or connecting one application to another. 

Veracode can improve the price model and how they bill the final offer to customers. It's based on the amount of traffic. For example, you can buy 1 gigabyte distributed across various applications, and each one can consume part of the whole allotment of traffic data. 

You pay for all of the time that the tool is running, not for the number of scans. There are specific rules governing the amount of traffic applications can consume from the allotment you have. I would like the pricing to be more personalized. For example, some companies don't have a large budget for this kind of tool, whereas a large enterprise can acquire this kind of solution and pay for it. However, I'm an IT consultant working with various types of customers in different industries, including finance, insurance, and telecommunications.

I started using Veracode at least three years ago.

Veracode is a highly stable platform. I haven't experienced any service disruption, and the performance is solid. 

I've used Veracode in a telecommunication company with a huge environment and more than a hundred applications. I don't have experience with smaller-scale use cases, but I know the cloud is quite scalable. 

I rate Veracode support nine out of 10. We get support from the resellers and direct support from Veracode analysts. We call the support team or the architect when there is a serious technical isssue. 

Positive

I haven't used a commercial tool like Veracode before. It depends on where I'm working, but the most common tool we use is an open-source solution called SonarQube. 

Veracode is straightforward to deploy. It's not hard to connect it, and we had support from a local vendor to help us integrate it into our dev lifecycle. It required only one person from my team. 

We had assistance from our local reseller, and the experience was great because we had a direct connection from the partner to the brand. We have a local team member who was in charge of the resell process. 

We calculate the return on investment primarily based on the risk. We calculate the ROI annually, but it's not very detailed. We factor in the risks associated with the loss of customer information loss, penalties for noncompliance, etc. In the worst-case scenario, we estimate that could potentially lose up to $1 million annually. 

The licensing model could be more flexible, and Veracode could be more accessible to smaller enterprises. We obtained Veracode through a consultancy. Veracode sets the price through consultation with our reseller, but I have yet to get a direct quotation without any other reseller in the middle. If you are worried about the price, I would say that you could request more information and do a trial, then see if you can negotiate an offer. 

We decided to use Veracode without comparing it to any other kind of solution, we had a kind of consultancy from one of the companies, the IT services company that was one of our partners, and they worked close to us, and we selected Barracuda the tool that we needed.

I rate Veracode nine out of 10. It's an excellent solution for securing the development lifecycle. I recommend starting with a trial and getting in touch with the account team to explore all of the different features. 

We use Veracode to scan our codes for vulnerabilities and risks.

Veracodes' ability to prevent vulnerable code from entering production works very well and it can detect the type of script used.

The software bill of materials helps us understand the industry that we are in and ensures we have a stable solution.

We can easily create a report using a software bill of materials because it has good templates that we can use.

Veracode has improved our organization by allowing us to fix the flows quickly for our clients by making data coding easy.

Veracode provides visibility into all phases of development.

The visibility into our development provides confidence to our DevSecOps that they will be able to deploy on time with no errors.

The false positive rate is good but we require a lot of skills to utilize it properly.

The false positive helps our DevOps troubleshoot every stage of development and increase their efficiency which boosts their confidence.

Veracode has helped our developers save around 20 percent of their time.

It has increased our organization's ability to fix flaws. We can scan code in a video which reduces costs and risk.

Veracode has increased security in our overall security posture because it detects flaws during scans.

We have saved around $500 a month in DevOps with Veracode.

Code scanning is the most valuable feature. 

The templates allow us to create wonderful reports.

The software bill of materials feature helps our supply chain security.

The backend support team of Veracode requires improvement as they are difficult to reach when we encounter issues.

The UI is not user-friendly and can be improved.

The speed of our internet connection affects the scanning process, which may take a considerable amount of time to finish. As a result, this can lead to challenges in planning and reporting, causing confusion.

I have been using the solution for three years.

It is stable.

Veracode is scalable.

The support is slow to respond.

Neutral

The initial setup was straightforward. I deployed the solution myself within three days.

The implementation was completed in-house.

We have seen a 32 percent return on investment with Veracode.

The licensing cost for Veracode is fair.

I give the solution an eight out of ten.

Veracode is user-friendly depending on how we use it. 

We have seven people using the solution.

Veracode does not require any maintenance on our end.

Veracode is a secure, reliable, and sustainable tool that all organizations should use for scanning code.

We use Veracode to scan the applications.

Veracode's ability to prevent vulnerable code from entering the production environment is good.

Using Veracode's ASC team is easy. I can send them an email and arrange a call from the app. They were helpful when I had issues or questions about using the app.

Free access to the ASC team is a significant advantage because they possess in-depth knowledge of the product and are readily available for assistance.

It is innovative when it comes to features.

Veracode helps our organization with security scanning. We realized the benefit of Veracode as soon as it was deployed.

The policy reporting is valuable because it provides two key benefits: first, it generates a security score for our application. Second, it offers comprehensive reporting that details both the vulnerabilities found and the potential risks they pose to our application.

Veracode can provide visibility into application status at every phase of development.

It assists our application team in fixing flaws by identifying issues and guiding the team toward resolving them.

Veracode helps our developers save time by ensuring the code is secure.

Veracode helps us improve our overall security posture. When a Veracode report shows no vulnerabilities, it indicates a strong security position. This allows the security team to sign off on approvals more efficiently, as a clean Veracode report is a key factor in their evaluation process.

Veracode is a valuable tool for a shift-left security strategy. It helps save overall development time, money, and effort by identifying and resolving security vulnerabilities early in the development lifecycle.

I find Veracode's SASD feature to be the most beneficial because it enables us to proactively identify security vulnerabilities in our application code before deployment. This static analysis helps ensure a secure application rollout across all environments.

The scanning takes a lot of time to complete.

Veracode offers comprehensive visibility into application security throughout the development lifecycle. However, due to cost constraints, we are not currently utilizing all available analysis types.

I would like Veracode to introduce infrastructure as code scanning.

Instead of relying on emails, it would be beneficial if Veracode offered a built-in tool for logging and managing issue tickets.

Veracode sometimes performs maintenance without notifying clients in advance, which can cause disruption.

I have been using Veracode for two years.

For the most part, Veracode is stable but there are times when we have downtime due to maintenance that we are not informed of.

I would rate the scalability of Veracode nine out of ten.

Technical support has been great at fixing any issues I've had.

Positive

My client in the banking industry previously used Black Duck before switching to Veracode.

Veracode's end-to-end testing offers a significant advantage over other solutions by providing a comprehensive security solution. This includes capabilities for static analysis, dynamic scanning, and even penetration testing. However, the cost associated with dynamic scanning and penetration testing may deter some clients from utilizing these features.

I don't have firsthand knowledge of Veracode pricing, but based on client feedback, it seems to be expensive with additional fees for certain features.

I would rate Veracode eight out of ten.

Maintenance is performed by Veracode.

During a Veracode evaluation, consider the following factors: Evaluate the time required for Veracode to complete a scan. Faster scans allow for quicker feedback and integration into development workflows. Consider the overall cost of Veracode, including licensing fees and any associated charges for scans. Assess Veracode's orchestration tools, particularly its compatibility with your existing CI/CD pipeline. Ideally, Veracode should offer seamless integration for easy adoption. Evaluate the availability and variety of connectors Veracode offers for integration with your development tools. A wider range of connectors simplifies the integration process.

We use Veracode to ensure our solutions meet the security standards in the financial industry in Nigeria.

Veracode does an excellent job to prevent vulnerable code from entering production.

Veracode ensures that the products we create for our clients are free of any code-related issues. This keeps them satisfied with our service and encourages them to continue doing business with us.

Veracode provides peace of mind and increases confidence in our code within the market. We realized the benefits within a few months.

At first, we experienced a high number of false positives, but the Veracode team provided guidance that enabled us to significantly reduce the count.

Initially, our developers were frustrated due to the high false positive rate. However, as we managed to reduce the number of false positives and the developers recognized that these were not actual issues, their morale improved, and their acceptance of the use of Veracode increased.

The false positive rate of the static analysis reduced the time that we spend on different operations.

Veracode has had a significant impact on our organization's ability to address flaws. The solution is capable of detecting issues and providing suggestions that assist us in rectifying problems within the code.

Veracode helps our developers save time. We review the recommendations provided by the solution, adhere to our best practices, and then proceed to implement these suggestions. In cases where we might have had three lines of code, the solution is capable of reducing that to one or two lines. I would estimate that Veracode has decreased our developer time by 40 percent.

Veracode enables us to enhance our security posture by applying the knowledge we acquire through Veracode to all our new projects. Additionally, we can revisit previous projects to implement upgrades and add features, thereby enhancing their security.

Veracode helps to decrease our DevSecOps costs by saving our developers' time and aiding in the production of error-free code.

The static scan is the most valuable feature. We are also currently evaluating the Dynamic scan.

Veracode is costly, and there is potential for improvement in its pricing. In our region of the world, it is challenging to attract a significant number of sign-ups due to its unaffordability.

I have been using Veracode for one year.

Veracode is stable.

Based on the limited interaction we've had with technical support, I am satisfied with their service.

Positive

We used a tool in the past that was free, but we couldn't depend on the quality of the scans it provided in the free version.

The cost of Veracode is high.

There comes a point when we must make a decision between cost and quality, and we chose to prioritize quality by selecting Veracode. The confidence that Veracode instills in both our developers and clients justifies the associated cost.

We have four solution licenses for the static analysis scans.

We also evaluated one of Veracode's competitors. After conversing with the sales and technical teams of both solutions, we concluded that Veracode was the best choice for us.

I rate Veracode an eight out of ten.

We are currently in the process of investigating Veracode's capability to offer insight into the status of applications at each stage of development.

We are a Veracode reseller and we utilize their solution for software vulnerability analysis. Our primary objective is to identify any security issues in open-source libraries that have been rejected. Additionally, we perform dynamic code scanning and employ Static Application Security Testing for comprehensive application security testing.

Veracode prevents 100 percent of vulnerable code from entering production.

Veracode has assisted our customers in deploying safely, thereby reducing both risk and hassle. Additionally, the solution has aided in reducing the costs associated with problem resolution. We noticed the benefits within the first day of using Veracode.

Veracode's policy reporting for ensuring compliance with industry standards and regulations is excellent. We only need to specify the regulation we must comply with, and the report will be generated instantly.

Veracode provides visibility into the status of applications at every phase of development. It is one comprehensive integrated system, but we can also utilize specific features like SAST if we require it.

In the absence of Veracode, the security team typically informs the developers about the policies that must be adhered to, and they enhance the code in a manner that ensures compliance. However, when Veracode is utilized, this step becomes unnecessary. Each individual focuses on their respective strengths, allowing for seamless collaboration.

We have compared Veracode with other solutions, and its false positive rate is the lowest in the industry.

Veracode's low false positive rate is key to our ability to avoid being burdened by false alerts and focus on fixing code.

Veracode's false positive rate of the static analysis has helped save us time.

Veracode helps fix flaws. Our customers have reported that it is faster and more compliant, making it easier for them to send out reports to various stakeholders when they have questions. For example, when dealing with higher-level management, we can create a report containing comprehensive statistics and informative pie charts, which greatly assists them. Additionally, this helps demonstrate the value of Veracode during internal assessments.

Veracode helps our developers save time. 

Veracode helps improve our security posture as it ensures compliance and simplifies the process.

Veracode helps our developers save costs.

Static code scanning is the most valuable feature. Moreover, Veracode integrates with various frameworks and workflow solutions.

Veracode has the capability to identify flaws in the code. I would like Veracode to also have the ability to fix these flaws in a future release.

I have been using Veracode for four years.

Veracode is an exceptionally stable solution.

We can scale Veracode from one to thousands of applications within a minute.

Veracode is used by some of our customers for individual applications, as well as by others for thousands of applications.

The technical support is great.

Positive

In addition to previously using SonarQube, we also employed several other solutions before transitioning to Veracode due to its superior reporting capabilities.

The initial setup is straightforward. The deployment time depends on the size of the built solution. If we consider a relatively modest number of apps, I would say that they can be up and running within a day or two. We first completed a good analysis of what our customer wanted and because Veracode is a cloud solution, we can have a code scan running within minutes. It is easy to integrate other frameworks and work with applications that are already integrated with Veracode. One product owner or software developer can handle the deployment.

The implementation was completed in-house.

With Veracode, the benefits are clear, and we can see a return on investment through the visibility it offers. This enables us to fix flaws sooner, thereby reducing the time to market for our customers.

Veracode provides value for the cost, with no additional charges apart from the standard licensing fee.

I would rate Veracode a perfect ten out of ten because it consistently delivers on its promises.

Those who are concerned about Veracode's price should be aware that the solution holds value. Additionally, they should consider that other solutions are on-premises and require additional fees for reporting traffic processed, unlike Veracode.

The maintenance is all taken care of by Veracode.

Veracode is so straightforward that I have no advice to offer to anyone.

There are many companies out there that do not consider code security when thinking about cybersecurity risks. This holds true even for larger companies, where it is still a greenfield situation.

I use Veracode to ensure the projects I deliver don't have vulnerabilities. 

Veracode provides insight into vulnerabilities at every stage, so your team can progress through the development cycle more efficiently. It improves developer confidence by showing us our capabilities and the potential of our code. 

Our developers improve and become more efficient using Veracode. Once we identify issues in our code, it's much easier to avoid the same mistakes in future projects. It teaches them how to overcome those vulnerabilities and errors while reducing costs.

Veracode saves a lot of time compared to traditional methods for identifying vulnerabilities. We save around $500 a month using Veracode because we don't need to hire experts. 

Veracode has improved our overall security posture. We feel assured that applications we deliver to clients or use internally are highly secure. It has helped us develop strategies to create stable, secure platforms.

I like the static scanning, and Veracode's interface is excellent. The dashboard is easy to navigate. I love the Software Bill of Materials (SBOM) feature because it helps you explore various industries and understand what to do to minimize risks and maintain compliance. It's straightforward and ensures my applications are compliant. 

It's easy to create reports using the SBOM feature because it has templates that you can customize depending on the reporting requirements. It gives me a report of the compliance requirements for any industry. It helps us internally and improves the services we provide to our clients.

Veracode is great for preventing vulnerable code from going into production because it covers various programming languages like JavaScript and PHP. You can be confident that your code is secure no matter which language you use.

Static scanning takes a long time, so you need to patiently wait for the scan to achieve. I also think the software could be more accurate. It isn't 100 percent, so you shouldn't completely rely on Veracode. You need to manually verify its findings. 

I've used Veracode for three years.

Veracode is stable. I've been working with it for a long time. 

I rate Veracode support 10 out of 10. They're friendly and responsive. 

Positive

Deploying Veracode is straightforward. I did it with one other colleague. 

We can afford Veracode, but it's too expensive for small enterprises. If you're concerned about the price, you should weigh the benefits you can achieve. It has saved us a lot of money on DevOps. We save about $500 a month by not outsourcing this work to experts.  

I rate Veracode eight out of 10.

It's an excellent product for developing a secure platform that will benefit your company and its customers while helping you build a sustainable development team. Before implementing Veracode, you need to prepare and have at least one person who understands how to use the product. 

We use Veracode as part of our development pipelines. It gives us security feedback when we run our applications. Our applications are completely containerized in Docker images with a .NET 4.6 architecture. These are web-based applications, so we want to know that all the HTTP requests are secured. The tool provides us with feedback to ensure that our application security is robust. 

We are primarily running Veracode to check for vulnerabilities after the build. There is no pre-build process. We are running a post-build static analysis and dynamic analysis. We run it at the end of the development process. 

Veracode's ability to detect security vulnerabilities is excellent. We can feel confident that none of the vulnerabilities will make it into production. It doesn't take long to realize the benefits from it. The interface is intuitive. We could start to see value from Veracode within a couple of weeks. 

We don't have many false positives. We're using the tool's default rules and haven't done much customization. We can feel confident in the solution's results. 
We can identify most of the issues before the production stage, and it also enables us to develop better practices in the development process. We also have a security testing team using Veracode to discover vulnerabilities. The discovery of issues after static analysis is super-efficient. It reduces our time spent on these tasks by about 30 percent. 

Veracode has had a positive impact on our overall security posture. It's comprehensive, which is critical because our applications are mostly integrated, so we don't want to take any chances. 

One thing we like is the secret detection feature. It has helped us to discover keys stored in our settings file as a TXT document. We can address that vulnerability by using encryption. We can even scan Docker images for vulnerabilities. Static analysis is another good feature of Veracode because we can run a security scan during development to identify the vulnerabilities.

Veracode helps us prevent vulnerabilities from entering production. We can put it into the pipeline and set an acceptable limit for vulnerabilities. If the number of vulnerabilities is under the threshold, we can deploy automatically. 

Veracode's container scanning could be improved. We containerize all the platforms we use inside a Docker image. For example, we create a Microsoft Docker image that we build our application on top of. I would like Veracode to implement IT scans before we commit the code.

I have only used Veracode for a year.

Veracode is stable. 

Veracode is scalable.

I rate Veracode support eight out of 10. 

Positive

We evaluated another solution briefly but we decided to keep Veracode. Veracode has some issues with container scanning, and we have some container-based applications. We considered bringing in another tool for container scanning, but it was too expensive and Veracode was able to mitigate the issues well enough. 

Veracode is affordable. It offers a good value for the security benefits it offers, especially if you're working with applications that involve payment processing. You cannot afford to take chances there. 

I rate Veracode nine out of 10. I recommend Veracode, depending on the type of application you are scanning. It's a leading solution in this domain. Veracode is the first name that comes to mind when people are talking about security scanning. 

Veracode is our primary tool for identifying and resolving security flaws in our web-based applications. When I started at Advantasure, I worked on a claims product, using the tool to remedy coding issues and identify high-risk security flaws. I did that for a while before transitioning to a role as an application security engineer. In this job, I don't fix any security flaws. I help operate the environment. 

We have integrated Veracode with Jenkins so that we can automate building and scanning code. Jenkins uploads the build to Veracode for static and SCA scanning. 

I'm working remotely through a VPN. When I log into Veracode, I check the various applications out to ensure everything's running. If we have any issues, I report them to the appropriate teams. 

We are in the health insurance industry, so compliance with security and privacy regulations is essential. Veracode is the industry standard. We use Veracode when we do internal audits and that sort of thing. You won't be in business for long if you don't have an industry-standard static security tool.

I have only worked at this company for two years, so I can't comment on what it was like before I joined, but Veracode does a good overall job of interfacing with us and giving us advice about areas we can improve. The company has used Veracode for a while, so it's not about improving per se. It's about maintaining and learning to use the tool better or making better use of dynamic scans. Our security doesn't depend on one feature. We're implementing multiple features, such as static and dynamic scans. 

Their policies are relatively helpful for compliance. The policy configuration tool works well. We try to use one policy to cover all our applications. Once we've configured the policy correctly, it does an excellent job of applying that to each application and ensuring compliance. Veracode provides good visibility, and the reports are integrated, so we get insight into each type of scan.

Veracode's false positive rate is decent overall. The biggest challenge isn't a C or C++ call, but it's tricky to follow the data flows when using a web interface. You get a few false positives every once in a while. 

I always tell our developers to verify all false positives because Veracode cannot follow your code flow. It's up to the developer to follow the code flow and check whether it's a false positive. The initial report is an excellent place to start. I don't think the false positives affect developer confidence. I never hear anybody complain about false positives.

The biggest challenge isn't Veracode; it's getting our developers to be compliant. Our organization is undergoing some changes, and we must remind the developers to do their jobs. As an application security engineer, I struggle to get developers to do these tasks because they don't want to do them. At the end of the day, the false positive rate doesn't affect developer productivity.

Veracode doesn't really help developers save time because we're already a mature organization. Their support team has helped us optimize our scan configuration significantly. Regarding the regular developers' goals, we have existing documentation and hold meetings with them. They do support consultations when developers have an issue. 

I like Veracode's static scanning and SCA. We use three static scans, software composition analysis, and dynamic scans. We haven't used dynamic scanning as much, but we're trying to integrate that into our environment more. 

For the most part, we've had good luck with the static scans as well as the software composition analysis scans. Veracode does a decent job of catching most vulnerabilities from making it into production, but it doesn't catch everything.

I have a few pet peeves and minor areas of irritation. Their customer success team does an excellent job, but getting their internal engineering team to do things isn't easy. They seem to lack a focus on maintaining the solution and improving it in the next generation. 

It's a common problem in the industry. Software developers are always thinking about the next big thing but lose sight of what's happening right now. If you have an idea for a feature request, you must submit it to be voted on by the Veracode community. I don't like this. No one will look at it unless enough people vote for it. 

Another issue we have concerns entry points. You must select the entry points for a static scan of your stuff. However, you can fix this by having templates in  Jenkins. Things can sometimes change, confusing Veracode. I want to lock those entry points in. Eventually, our DevOps team will create templates for everything. If I want a new template, I need to submit it to the community and get my peers to vote on it. It's a waste of time. 

I have used Veracode for two years.

I've been impressed with Veracode's stability. The solution doesn't go down often. The dynamic scans went down the other day, but that was a problem with the infrastructure, and AWS rarely has outages. Overall, it's dependable. 

We haven't had any scalability issues with our current scan volume, but we're a medium-usage client. We have more than 30 static scans and 12 to 15 dynamic scans and don't seem to have issues with performance. 

I rate Veracode support 7.5 out of 10. Overall, our technical support is decent.  You have to find someone who works well with you. My biggest challenge is dynamic scanning and getting up to speed on that. You must find out who's good and stick with them as much as you can. 

Neutral

Our ROI comes mainly in the form of compliance. We get a star rating when we're automated, and we need to maintain that. We currently have a fairly high rating, so it's not so much about gaining stars. We need to avoid losing them. By maintaining our high rating, we can also gain more clients. 

Veracode is expensive, but other solutions cost as much, if not more. For example, Rapid7's dynamic scan tool was at least as expensive as Veracode, and Rapid7 wasn't willing to negotiate. We are a reasonably large user. 

It's a fair price. If you're worried about getting your money's worth, you could ask Veracode for a trial license and compare it to other tools in terms of pricing versus features. That's how I would do it. It's crucial to do your homework. At this point, we're somewhat locked in and won't change unless we find something significantly cheaper or better. 

The company looked at other options, and we try to do one-stop shopping when possible. We looked at other tools like Rapid7 but decided against doing a proof of concept because it doesn't offer static analysis. I don't think they could do software composition without static analysis. 

We could use Rapid7 for dynamic scans, but then we would have issues with report integration. One of the primary reasons we use Veracode today is that they have solid support. They typically respond to almost any ticket within 24 hours. Veracode also does an excellent job of integrating its various tools for static scanning, dynamic scanning, etc. 

At the end of the day, we stay with Veracode primarily because of the solution's integration. Our license is up this year, and we currently have no plans to seek out another vendor. We may consider switching next year.

I rate Veracode seven out of 10. Before you evaluate Veracode or any other solution, you need to sit down with other specialists and decision-makers to develop some criteria. See if Veracode will give you a free trial license, and start testing it out. You can also check Gartner.