Veracode Reviews

We have some applications that connect to external providers or provide external services that users can access from the public internet. We are uploading these applications to Veracode to assess the security threats that our code may pose.

Veracode's analytical capabilities are very good, but I'm not sure if they have prevented security vulnerabilities from going into production in our case because we haven't been using them optimally. We're now working on integrating them into our development pipeline so that we can test applications before they're released. This will also allow us to familiarize ourselves with the sandboxes during development. I believe that if we start using Veracode correctly, it will be very beneficial in preventing security vulnerabilities from going live.

The main benefit of Veracode is the software composition analysis because it helped us identify that we were using some libraries with security flaws. This is important because the individual software components are owned by different smaller teams, and all of those teams contribute to one overall large application. Therefore, there is no single person who would be able to take care of all of the third-party libraries that we are using. Veracode analyzing the libraries that we use is therefore beneficial to us.

Veracode's policy reporting for insurance compliance depends on how our organization uses it. I'm not sure if we're using it to the best of our ability because, for example, I discovered that there is a central space where we can run analysis and sandboxes. Based on what the Veracode expert I spoke to told me, policies should be reported from the danger space, but in our organization, we're reporting them from the Prod CI sandbox. This doesn't seem to be a good solution because the overall application is displayed on the main page, which doesn't reflect what our compliance teams think about our applications. Besides that, I think it comes down to how we're using Veracode within our firm. Overall, I think it's great that the firm can configure certain policies to monitor applications, and the flaw report also enables us to see the flaws that need to be fixed to become compliant, which is a good feature. From Veracode's perspective, everything looks fine.

Over the past year, we discovered a severe security flaw in Lot 4j 1.2.15. We initially believed that this version had been replaced with a newer version that does not have the flaw, but our software composition analysis reports revealed that this is not the case. We still have a few binaries that depend on Lot 4j 1.2.15, which is vulnerable. The software composition analysis results prompted us to schedule a replacement with a new version, which is currently underway.

Veracode has helped us fix flaws effectively. Our security teams enforce monitoring and fix deadlines for reported flaws. If a reported flaw cannot be accepted as a false positive, we must fix it promptly to maintain a high success rate.

Veracode has improved our security posture and will continue to do so as we learn to use the solution more effectively.

I like the way the flaws are reported in the system. It is quite clearly visible where the flaw is coming from, and it is possible to upload the code to see exactly which line was identified as a security threat. I also like the software composition analysis that Veracode provides, because we can see third-party libraries that are used in our software and check if there are any known security flaws in those libraries.

There are many false positives, especially one particular type: reported hard-coded passwords in the code. We do not have hard-coded passwords in our code, but we are using third-party libraries that have variables with passwords in their names. For example, a variable might be named "passwordForCommonFixFile" or "passwordForSecurityStore." Veracode's keyword analysis probably assesses these variables as hard-coded passwords. This is problematic because the false positives are coming from third-party libraries, and we cannot easily check the flaws to see if they are false positives. To fix the problem, we have to compile the code, which we should not have to do. We are forced to accept the false positives because we know from the software and system design that there cannot be hard-coded passwords in the third-party libraries we are using. If the libraries were generic, then there would be no chance that they would have hard-coded passwords for the specific services that we are connecting to. To reschedule the scan, we have to go through some bureaucracy. 

Despite the presence of many false positives, we remain confident in Veracode. However, the impact on developer confidence is negative, as it leads to resistance to enforcing certain development processes, including the use of Veracode in the development pipeline. This is understandable, given the complexity of the process required to reschedule the flaw for a single false positive. This process requires approval from the system owner, a senior manager, and the cybersecurity team.

Veracode has increased the work time of our developers because of the false positives.

The area with the most room for improvement is the speed and responsiveness of the query, as it is usually very slow. I am not sure if there is a specific space allocated for us that can cause this, but when I open an application and want to click through multiple scans to see the differences, or if I want to do anything else, everything loads very slowly. This makes it much less user-friendly to play around with the GUI and explore the features.

I have been using Veracode for three months.

Veracode is stable but a bit slow.

I have only one experience with Veracode support, but it was very positive. I used the schedule consultation feature in the GUI, which was very useful. We had some questions about how to correctly upload a code, and I was able to schedule a call with a Veracode expert. The support person who helped me provided me with many insights, answered all of my questions, and even went beyond what I asked to explain how to use the feature and improve our process.

Positive

The initial deployment is complex because our system is huge, consisting of hundreds of different binaries. Dozens of teams contribute to the releases, and as a result, a large number of changes are deployed at the same time. This makes it very easy to break something, and there are many people involved in the process.

The deployment required a core team of five, with some additional people on hand to support if anything went wrong. The maximum time for deployment was one day.

I give Veracode a seven out of ten due to the slow speed and the false positives.

We only use Veracode for static analysis. We do not use the other features at all.

We have infrastructure deployed in multiple locations around the world. In my team, 50 people use Veracode. Across the entire organization, it is used by hundreds, if not thousands, of users.

I advise everyone to use Veracode in their development pipelines, so that scans can run very frequently, at least once during each nightly build. This will ensure that reports and flaws are addressed effectively. From my development perspective, I recommend against enforcing specific rules on using Veracode, giving deadlines to fix flaws, or introducing additional bureaucracy. This can worsen the developer experience and lead to developers finding ways to avoid having flaws reported, such as by decreasing the frequency of scans. In my opinion, the more processes and bureaucracy we add, the less useful Veracode will be. 

As a full-stack developer, I am also involved with DebOps tasks. When deploying to different environments, we have stages that must be passed as part of DevOps. One of the primary stages that must be passed while deploying to Jenkins is Veracode Analysis. We also have SonarQube analysis, which typically checks code quality, code coverage, and other aspects, such as whether there are any bots or vulnerabilities. Once the code quality test is passed, it enters Veracode analysis. During Veracode analysis, the code is checked for vulnerabilities. Veracode also checks to see if any outdated jobs are being used in the code and suggests better versions to use. All of this information is clearly displayed in the Veracode analysis results. Veracode is linked to JFrog Artifactory, which is a repository of all the jobs available on the market. Veracode uses this information to choose which jobs to use and which jobs to fix. Veracode also explains the possible errors in the code.

We do not receive many threats. The threats are very minimal. Therefore, I have never been in a situation where Veracode had to save me from vulnerable code entering production. However, it is still helpful for us and our managers to access our code to see what is happening and what can be improved using Veracode.

Veracode is constantly being updated and improved. I started using it in October 2022, and at first, we didn't receive much training on it. As a result, we struggled to understand its features at first. However, after some interface changes, I found it easier to catch up. After six months or so, we were able to easily identify and understand what was happening. We use SBOM, and I believe that Veracode is improving significantly in its ability to assess specific vulnerabilities. For example, they are now trying to identify SQL-related injections as well. This is something that I appreciate.

The policy reporting ensures compliance with industry standards and regulations. It also provides a detailed report with multiple options. We can easily generate a report of four to ten pages, or even a one-page report. I really like the way Veracode generates reports on assessments. It's my favorite feature.

It provides visibility into application status at every phase of development, but we must manually scan applications to check the assessment for a specific application or after deploying it to a particular environment. I think they can change this so it automatically scans for us.

The false positive rate is low.

Veracode has improved our organization's ability to fix flaws, and fixing vulnerabilities has sometimes required us to develop new features. This has actually helped us and made our applications better.

It has helped our developers save a lot of time. Jobs are constantly changing and upgrading, Veracode allows us to easily assess the security of our jobs in 10-15 minutes, instead of 40-60 minutes.

Veracode helps us improve our security posture. Once we identify and fix the vulnerabilities Veracode finds, we no longer face any threats.

The feature I like most in Veracode is that it clearly specifies the line in the entire file where a vulnerability is found. For example, if there is a vulnerability on line 32 of the demo.java file, Veracode will clearly state that and also tell me the severity of the threat, such as moderate, high, or very high.

The interface is basic and has room for improvement.

The main problem I have faced with Veracode is that it does not integrate well with JFrog Artifactory, the repository where all our jobs are stored. This means that sometimes jobs are not reflected in the Veracode report, which is a major drawback.

We have a Maven repository provided by Maven itself, which is widely used by all developers. It is the heart of these jobs, and every detail is available in the jobs. So when Veracode says that a specific job is not vulnerable, but the Maven repository says that it is, I don't think Veracode is updated daily. This is a problem because if I fix the job, taking two to three hours to do so, and then Veracode is updated two weeks later and linked to the Maven repository again, Veracode may show that the job is no longer vulnerable. This is a threat, as it wastes a lot of time for developers. As developers, we usually have deadlines to meet for moving to particular environments, such as UAT or production. Veracode is wasting our efforts by not being updated daily.

I have been using Veracode for one year.

The stability can be improved. There are times when we don't see our applications and have to ask a Veracode support person to add them.

Veracode is scalable, and we have not had any issues with the Microsoft and Solar components that we use. It has always worked seamlessly, and we have the ability to scale up to 15 components on our end.

We only had to use the technical support once and it was fine.

Neutral

I would rate Veracode eight out of ten.

There is minimal maintenance required from developers. The infrastructure team will take care of it. So, let's say there is one application, four microservice components, and six flow components. In that case, two members can easily maintain the Veracode platform.

I am one of five member developers from India who are using Veracode. We also have locations in Spain, Mexico, and London.

I recommend Veracode for organizations that are not in the cloud and still working on-premises. 

We use Veracode for static application security testing (SAST). We also use it for scan or software composition analysis (SCA) testing purposes. We mainly use it to triage the flaws or vulnerabilities that are found in our coding standards so that we can enforce secure coding practices at the developers' end. Because we are a part of the security team, we provide mitigation for the development team on all the SAST vulnerabilities that we come across.

We use it for static application security testing. It helps us with proactivity. Before the product or the application is deployed on the production environment, we have a DevSecOps pipeline that kicks in, and we are able to triage the flaws or vulnerabilities that Veracode shows based on our policies using the Open Web Application Security Project (OWASP). Veracode definitely helps us to go through the vulnerabilities and fix them before they go into production so that bad actors cannot exploit them.

In terms of software composition analysis or SCA, we have come across several libraries and packages that were vulnerable and detected by Veracode. We work on getting the latest updates or packages so that we do not fall back on the security front.

When it comes to visibility, I am not sure whether it is through Veracode, but we have our pipelines built on Azure. We do get to see whenever a scan is kicked off and whether the Veracode check has passed. There is no direct visibility in Veracode apart from the dashboard, which does have information about what type of scan has been performed and whether it is a policy sandbox or just a testing sandbox.

Veracode has been fairly decent for fixing flaws. We have mainly been using it for SAST. For DAST, we have our AppScan from HCL, but Veracode is fairly decent for fixing flaws or trying to be proactive and ensuring all of our applications have been securely developed.

In terms of policies, it works fine. Our policies are mostly predefined. They were defined by our previous team. We look into the policies based on the scan dates.

From a developer's perspective, Veracode's greenlight feature on the IDE is helpful. It helps the developer to be more proactive in secure coding standards. Apart from that, static analysis scanning is definitely one of the top features of Veracode.

Recently, I came across a new workflow, which I had seen in Checkmarx, that shows how a vulnerability flows from the start point to the end point of a function. 

There can be a lot of improvement. It does not have a reporting structure for an OS-based vulnerability report, whereas its peers such as Fortify and Checkmarx have this ability. Checkmarx also provides a better visibility of the code flow.

Veracode is 75% or 80% accurate. At times, we do come across a lot of false-positive cases, but this is an issue with all security tools. Unfortunately, we do not see an option to set the policies because policies are predefined. Overall, when comparing it with its competitors, Checkmarx is better than Veracode in false-positive rate. Veracode's false-positive rate is decent. It is not too good and not too bad, but there is a lot of room for improvement. I personally found Checkmarx to be more accurate than Veracode. This false-positive rate has an effect on the security team because, for a false positive, a developer raises a ticket for us, and our job gets a little bit more hectic because we have more vulnerabilities to create rather than focusing on the positive ones. It is daunting when too many false positives are being reported by the development team for triaging purposes. However, in one of the calls related to their roadmap, I saw a feature where you can go through the code, and it provides you with some mitigation. 

I used Veracode at the beginning of my career from 2017 to 2019. I then switched my job, and my next company used Checkmarx, which is a competitor of Veracode. I changed my job again in 2021 and have been using Veracode in this company. Overall, I have close to three years of experience.

It is pretty stable. I would rate it a nine out of ten in terms of stability.

We are using the SaaS offering, so it is pretty scalable. I would rate it a nine out of ten in terms of scalability. 

Whenever there is a flaw that we cannot understand, we have something called Veracode consultation. We raise a ticket and follow up on the ticket. That is it. They are well-versed. The only challenge I face is that I am based out of Ireland. The time zone is a pretty big issue for us most of the time. Whenever we have a code support call, the majority of the time, it happens late at night. That is one of the reasons why we tend to skip the consultation calls. I would rate their support a nine out of ten.

Positive

I have worked with Checkmarx in another job. I prefer Checkmarx over Veracode. Checkmarx provides a better visibility of the code flow. Veracode also has code flow, but it is in IDE, so you need to manually jump through the code and check the flow. It is easier for someone with experience, but someone new to the security domain will find it tough, especially when there is no clear picture of the workflow to know what is going on. This is a feature that I would like in Veracode.

It is a SaaS or cloud solution. It is definitely not on-prem. We sign in using a single sign-on.

I was not involved in its deployment. There is no maintenance as such. 

To those evaluating Veracode, I would say that unless you get hands-on experience, it is difficult to evaluate. So, I would advise getting hands-on experience with the tool. I would also advise checking out other solutions such as Fortify and Checkmarx.

Overall, I would rate Veracode a seven out of ten.

We use Veracode to identify any security issues or flaws in our code so that we can eradicate them. We also use it to keep developers on their toes, to make sure they don't introduce any new flaws.

It is helping us a lot because we can easily identify vulnerable code by just scanning and, therefore, we are able to prevent it from going into production.

Veracode has given us access to high-quality data and automated testing, and it has helped our organization to make sure that we create platforms without any malicious code or risks. Our application for our clients is very secure. And because it has static code analysis and produces good reports, it has definitely enabled us to be very scalable in what we do and to produce a stable solution.

What it has done is that before we try to implement, we think over the security using Veracode. We analyze things and create a very good report of what it is going to be. So in the future, we have an application-centric view that is giving us the possible threats. Before we scan, we already know what the targets are that we want to achieve.

The solution also really helps a developer to know exactly where they need to fix things and where they implemented errors, by allowing them to analyze their code. So confidence that developers get from Veracode is that they know exactly what code is causing an error or causing a vulnerability. They avoid those issues and it helps them to really develop very quickly.

It has saved quite a bit of money and effort. It helps create a meaningful improvement in the security of our products. It helps you to develop faster. You save a lot of time because you don't have to debug things manually. That would take a lot of time. You just scan with Veracode and you see all the code that needs to be fixed. It really saves a lot of money because it would be very expensive to hire a technical team or developer to trace every issue in the code. A single package of Veracode saves you a lot compared to if you were to have a team of three or four people[e. With Veracode, small teams can use it and do their tasks better. At any stage of development, they know where to fix things and the flow makes it easy to produce things on time. It saves us 50 percent of our time.

And with security being paramount, we now know that every solution we are providing, that we put into production, is stable, secure, risk-free, and compliant with industry standards. We are now trusted by more of our customers who use platforms as well as by more stakeholders.

It has helped reduce costs because we have two or three developers who can maintain security by doing the scans. We don't need a lot of developers. We just need a few with the technical skills to use Veracode.

The user interface is quick, familiar, and user-friendly and makes navigation to other software very easy. It is also easy to scan a new application and view the results of previous scans and generate a report.

It is really great when it comes to knowing the vulnerabilities in the code as well.

Veracode has also really tried to make sure that they comply with any standards and regulations, and the process is quick and quite straightforward. That has had a very good and positive impact.

It can be a bit complex because it takes a lot of time to have it complete the task.

Also, the interface is disjointed. 

And the documentation is kind of confusing. It may not be updated in the same way that the software is.

There is also a little bit of a learning curve before you can do security scanning of any application.

I've used Veracode for three years.

It is stable. I haven't experienced any downtime.

And it is scalable enough. You can integrate it with third parties to come up with a meaningful solution.

Their support group is very good. They really make sure that you get enough support. You can schedule a consultation and most of the consultants are very helpful in troubleshooting any lines you go through.

However, technical support literally takes weeks or months to respond to requests and that causes a lot of delays. It's horrible. It affects our workflow and progress.

Negative

We didn't have a previous solution.

Deploying and implementing Veracode is straightforward. Things get complex when you want to use it.

It doesn't require any maintenance.

We did it in-house. I worked with two of my colleagues.

To a small extent, we have seen ROI, on the order of 10 percent. It is very expensive to use and that means you really need to make a lot of sales before you can compete with the cost of Veracode. The ROI is there, but very small.

It is expensive. It depends on the use case, but it is very hard to find a pricing page on their website. Instead, they need to analyze your use case, but without knowing the entire project and how you're going to be using Veracode, how many scans you're going to do, if yours is a small business, it is very expensive and it affects ROI.

If you're concerned about the price, it is not a good solution for a small company.

Veracode's false positive rate is moderate.

My advice would be that this is a great platform, overall, if you have the budget to use it. It does great work that can really help out. But I wouldn't recommend it to a small business because the pricing is not registered on their website. They will have to take you through an assessment. The responses that you deliver will determine the pricing you'll be given. In the end, it may affect ROI.

But if a business is okay with the budget required by Veracode, I would certainly say it is great. It does a lot of security scans to make your applications secure. It will help developers to develop faster.

We use Veracode mainly for legacy software audits.

The most valuable feature of Veracode is the binary scan feature for auditing, which allows us to audit the software without the source code. Veracode's most valuable feature is the verified vulnerability database, and we can do a full software audit at our company, including all of the systems.

Veracode should provide more flexibility in its pricing and licensing modules so that it could be more affordable for all types of projects and not only for very active mission-critical projects.

With the solution's security audit feature, an enterprise should be able to cover all of its applications with the desktops. Veracode is simply too expensive for that. If you know about the price of a web application, and if you multiply it by 1,000, the return on investment doesn't work. It's okay for one or two projects running very fast, but it doesn't work for all the legacies. So, it's a huge amount of money.

There should be some lighter tool that allows you to do some audit scanned one time. Only ten percent of the applications are actively developed. About 90% of the other applications have no projects or budgets, but we are still vulnerable. It is too much if you buy it for all of that.

I have been using Veracode for three years.

Veracode is a completely stable solution, and we had no problems with its stability. The solution was a bit slow, but it was stable.

We didn’t face any issues with the solution’s scalability.

We know only one person from Veracode, and he supported us when we had issues, and he was able to solve everything.

Positive

We have previously used Checkmarx. Veracode's pricing is cheaper than Checkmarx, and it has some unique features like binary scan. In Hungary, Checkmarx is installed more than Veracode.

The solution’s initial setup was very easy. Only one or two people are needed for the initial setup of the solution.

Veracode is a very expensive product.

Veracode can list a lot of vulnerabilities, but processing all of them is a time- and resource-intensive process. I think Veracode has no innovative features because a lot of other software can do that. In our opinion, innovative features are a commodity with Veracode, but they are doing a good job.

The solution's ability to provide visibility into application status at every phase of development is valuable. It can be faster, but it can also slow down because our backlog may be much longer. There will be a lot of vulnerabilities or false positives that have to be processed. So, it is not black and white, but it is safer. Veracode has helped our developers save time.

Veracode has had a very low impact on our organization’s overall security posture because it is a very expensive product. An enterprise with 1,000 applications uses the solution for one or two applications. Veracode does not need any maintenance because it's cloud-based.

Veracode is very important to our organization’s shift-left security strategy when we have a project with enough sources to provide the license. I use Veracode’s cloud version. The return on investment with Veracode is good for one or two mission-critical projects running in the company. For other things, users should use open-source solutions or much cheaper products like SonarQube that are not as good as Veracode.

The fact that Veracode scans only binary code and doesn't scan source code concerns me sometimes. Sometimes, we have to do some source repository audits. We cannot use Veracode for source repository audits because it scans only binary code. I would recommend Veracode to other users.

Overall, I rate the solution ten out of ten.

We used it for static and dynamic testing to check if there were any vulnerabilities in the code. If there were any vulnerabilities, we would check the report downloaded from the Veracode portal and try to fix the code before deploying it.

Veracode helped me remove errors, and it didn't take a long time to fix any issue because I had an answer regarding where the code needed to be fixed. That feature helped us test our cases and get them deployed. It helped me fix vulnerabilities and any other errors before deployment to the applications.

The SAST and DAST scans—we used it both before code was deployed and after it was deployed—helped us run through the issues and keep track of their status. It was deployed in the pipelines, through Jenkins, and checked the logs in Kubernetes.

The solution also saved us time. I really liked the automatic scanning because there was no way to know where an issue was. Human tendency is to make mistakes, but Veracode helped us find the exact spot where an error was and change it. The reporting helped us do that in a short amount of time.

For our team, it had a very good impact. My manager used to suggest that before taking code to the next level, it was a really good idea to scan it.

I liked that I could easily find out where my errors were. Instead of going through the whole code and the scripts, it showed me where the errors were and gave me an idea of how to fix them.

The reporting was detailed, but there were some things that were missing. It showed us on which line an error was found, but it could have been more detailed.

Also, with upgrades, we had quite a difficult time tracking the reports, so there was some maintenance around that.

I used Veracode for 13 months.

I had a situation that was due to a slow network, and I couldn't get results within a specific time. Because of that, there was a lag in production; we couldn't deploy the code on time. There was a crash, and because of that, we couldn't meet our production deadline.

The downtime happened two or three times. I thought it was due to a network issue when it happened once, but then I came to understand that it was a maintenance issue.

Veracode is really not difficult or complex to understand. The whole concept is simple. It takes some time to get used to the tool, but it is a very simple tool to work with.

It was quite fast. Scanning my code took 25 to 30 minutes, which was quite good.

We use Veracode to identify and detect security vulnerabilities in our applications before they are uploaded, deployed, or used. This gives us greater confidence in the security of our applications, which leads to positive feedback from our clients.

The solution's ability to prevent vulnerable code from going into production is a good thing because we have not upgraded to detect any variable code before deployment. Therefore, it is a good way to start our campaign.

Using SBOM to manage risks is straightforward and faster because it does not require technical skills. This makes it easy and straightforward to implement and use to prevent vulnerabilities and ensure compliance with any policy in any industry. Creating reports using SBOM is easy.

Veracode is helping us by providing alerts to ensure that we are providing a good application that does not have security vulnerabilities. This means that any client using our application or software can be confident that it is stable, secure, and risk-free. As a result, our organization is benefiting from cost savings and increased sales.

Veracode's policy reporting for enabling compliance with industry standards and regulations can be a bit complex for beginners, but it is much easier and quicker for experienced users.

Veracode provides visibility into application status throughout the development process. It is easy to understand the severity of a threat, thanks to their clear and concise documentation. This documentation can be used to understand code, security, vulnerabilities, and project management. Veracode also helps ensure compliance with all industry standards.

Veracode's visibility helps our DevSecOps team because it supports multiple programming languages. This means that teams with different programming languages can use Veracode to remotely collaborate and develop a stable solution. As a result, our developer team is not affected and can continue to provide high-quality, bug-free products on time, which is beneficial to our current and future clients.

Veracode's false positive rate is low.

Veracode's low false positive rate increases our developers' confidence. Some developers may have used a different solution in the past or may have had a different experience with another vendor. Therefore, I believe that initially, they may not be confident in Veracode when some vulnerable code is found in their primary code. This can sometimes make them feel unprofessional, but ultimately, since we are using a professional solution, their confidence will grow and become positive. This is because they will realize that if this code has vulnerabilities, the next time they release a project or application, they need to be very transparent and careful to avoid any problems. Therefore, the initial confidence may be shaken, but as developers get used to Veracode, it becomes much easier and their confidence in developing improves.

Regarding time, static analysis's false positive rate has reduced the amount of time we would have spent using other solutions or the cost of using a high-tech team to do it. Additionally, the cost of accessing running machines in this era is quite expensive. However, if we have the opportunity to use Veracode with its multiple features, I think it is a very good setting for any company during the learning process of using machines.

With Veracode, we can perform multiple scans simultaneously in different programming languages. This is different from other solutions, where we would manually or independently scan each application or programming language. Veracode allows us to scan more quickly and easily. The time it takes to detect flaws in the code is not comparable to the previous solution, because Veracode speeds up the process and makes it easier to create reports. We can share these reports with other developers to create free call-to-action campaigns and improve the user experience. By the time we deploy our applications, we can be confident that they are secure.

Veracode helped our developers save time by providing a solution that can be integrated with other IDEs, such as Visual Studio Code. This allows developers to use a tool that they are familiar with and that is readily available. This, in turn, helps them to develop faster because the interactivity tools support every programming language. This means that developers do not have to create a lot of code before they can start using Veracode. Instead, they can focus on adding more logic and functionality to their code. Veracode can then help them to test and secure their code more quickly. Overall, Veracode has helped our developers save an average of 30 percent of the time they would have otherwise spent on security testing.

Veracode has had a positive impact on our security posture. We are now able to create secure and stable solutions more quickly because of their transparency, speed, and visibility.

Veracode reduced the cost of our DevSecOps by around eight percent.

Veracode is very easy to use. I use it to scan my Java Micro Service, and it is easy to configure. It does not require any software to be installed, and it can access data files and scan them quickly. This makes it very user-friendly.

Scanning progress is highly dependent on the speed of the Internet. This can create confusion about the completion of scanning tasks. For example, a static scan may detect all vulnerabilities during a single scan, but when static scanning is disabled, some vulnerabilities may be detected during one scan, but not during the next scan or a subsequent scan. This inconsistency can make it difficult to track vulnerabilities. Additionally, The solution does not make it easy to mitigate vulnerabilities that are not detected by static scanning.

The price of the solution has room for improvement.

I have been using Veracode for three years.

Veracode is stable as long as we have a good internet connection. The stability of Veracode is based on the internet speed.

Veracode is scalable. We use Veracode in multiple departments. Ten people in our organization use the solution.

The initial deployment was straightforward and took two of us five days to complete the deployment.

We implemented the solution in-house.

With Veracode, we are developing more secure, scalable, and stable applications on a faster track. Our clients know that they can trust us to deliver secure applications that meet their expectations. This led to increased sales, even though our products are priced higher than our competitors. We are able to charge a premium because our products meet the Swedish standard for security, compliance, and risk. As a result, we have seen a 65 percent return on investment.

Veracode is expensive.

I give Veracode an eight out of ten.

Veracode is not a cost-effective solution for small businesses, but it is a good solution for medium and enterprise businesses.

Veracode does not require any maintenance.

I recommend Veracode to organizations that need a static code security analysis. Veracode is simple to understand and supports all programming languages.

I use Veracode to ensure the projects I deliver don't have vulnerabilities. 

Veracode provides insight into vulnerabilities at every stage, so your team can progress through the development cycle more efficiently. It improves developer confidence by showing us our capabilities and the potential of our code. 

Our developers improve and become more efficient using Veracode. Once we identify issues in our code, it's much easier to avoid the same mistakes in future projects. It teaches them how to overcome those vulnerabilities and errors while reducing costs.

Veracode saves a lot of time compared to traditional methods for identifying vulnerabilities. We save around $500 a month using Veracode because we don't need to hire experts. 

Veracode has improved our overall security posture. We feel assured that applications we deliver to clients or use internally are highly secure. It has helped us develop strategies to create stable, secure platforms.

I like the static scanning, and Veracode's interface is excellent. The dashboard is easy to navigate. I love the Software Bill of Materials (SBOM) feature because it helps you explore various industries and understand what to do to minimize risks and maintain compliance. It's straightforward and ensures my applications are compliant. 

It's easy to create reports using the SBOM feature because it has templates that you can customize depending on the reporting requirements. It gives me a report of the compliance requirements for any industry. It helps us internally and improves the services we provide to our clients.

Veracode is great for preventing vulnerable code from going into production because it covers various programming languages like JavaScript and PHP. You can be confident that your code is secure no matter which language you use.

Static scanning takes a long time, so you need to patiently wait for the scan to achieve. I also think the software could be more accurate. It isn't 100 percent, so you shouldn't completely rely on Veracode. You need to manually verify its findings. 

I've used Veracode for three years.

Veracode is stable. I've been working with it for a long time. 

I rate Veracode support 10 out of 10. They're friendly and responsive. 

Positive

Deploying Veracode is straightforward. I did it with one other colleague. 

We can afford Veracode, but it's too expensive for small enterprises. If you're concerned about the price, you should weigh the benefits you can achieve. It has saved us a lot of money on DevOps. We save about $500 a month by not outsourcing this work to experts.  

I rate Veracode eight out of 10.

It's an excellent product for developing a secure platform that will benefit your company and its customers while helping you build a sustainable development team. Before implementing Veracode, you need to prepare and have at least one person who understands how to use the product.