Veracode Reviews

We use Veracode mainly for legacy software audits.

The most valuable feature of Veracode is the binary scan feature for auditing, which allows us to audit the software without the source code. Veracode's most valuable feature is the verified vulnerability database, and we can do a full software audit at our company, including all of the systems.

Veracode should provide more flexibility in its pricing and licensing modules so that it could be more affordable for all types of projects and not only for very active mission-critical projects.

With the solution's security audit feature, an enterprise should be able to cover all of its applications with the desktops. Veracode is simply too expensive for that. If you know about the price of a web application, and if you multiply it by 1,000, the return on investment doesn't work. It's okay for one or two projects running very fast, but it doesn't work for all the legacies. So, it's a huge amount of money.

There should be some lighter tool that allows you to do some audit scanned one time. Only ten percent of the applications are actively developed. About 90% of the other applications have no projects or budgets, but we are still vulnerable. It is too much if you buy it for all of that.

I have been using Veracode for three years.

Veracode is a completely stable solution, and we had no problems with its stability. The solution was a bit slow, but it was stable.

We didn’t face any issues with the solution’s scalability.

We know only one person from Veracode, and he supported us when we had issues, and he was able to solve everything.

Positive

We have previously used Checkmarx. Veracode's pricing is cheaper than Checkmarx, and it has some unique features like binary scan. In Hungary, Checkmarx is installed more than Veracode.

The solution’s initial setup was very easy. Only one or two people are needed for the initial setup of the solution.

Veracode is a very expensive product.

Veracode can list a lot of vulnerabilities, but processing all of them is a time- and resource-intensive process. I think Veracode has no innovative features because a lot of other software can do that. In our opinion, innovative features are a commodity with Veracode, but they are doing a good job.

The solution's ability to provide visibility into application status at every phase of development is valuable. It can be faster, but it can also slow down because our backlog may be much longer. There will be a lot of vulnerabilities or false positives that have to be processed. So, it is not black and white, but it is safer. Veracode has helped our developers save time.

Veracode has had a very low impact on our organization’s overall security posture because it is a very expensive product. An enterprise with 1,000 applications uses the solution for one or two applications. Veracode does not need any maintenance because it's cloud-based.

Veracode is very important to our organization’s shift-left security strategy when we have a project with enough sources to provide the license. I use Veracode’s cloud version. The return on investment with Veracode is good for one or two mission-critical projects running in the company. For other things, users should use open-source solutions or much cheaper products like SonarQube that are not as good as Veracode.

The fact that Veracode scans only binary code and doesn't scan source code concerns me sometimes. Sometimes, we have to do some source repository audits. We cannot use Veracode for source repository audits because it scans only binary code. I would recommend Veracode to other users.

Overall, I rate the solution ten out of ten.

We use the solution for identifying bugs before deployment in the software-side cycle process.

It can be integrated with our CL and CDProp pipeline, and it can be used with multiple integrations in our Visual Studio Code editor. That's the main use case.

We've saved a lot of time since using Veracode. We've also been able to cut down on costs since we require a lot of penetration tests for testing our software. Veracode helps us drastically reduce these costs. We've cut our costs down by 40%.

The solution provides us with a feature that we can directly use with static and dynamic analysis. With static analysis, we can use it while the app is not running, and with dynamic analysis, we can scan our application while it is running. It provides efficiency and also saves a lot of time for penetration testing and bug testing.

The capabilities of the analysis of the code base can help us effectively detect potential vulnerabilities. This is the most valuable feature we found. It can be integrated with multiple code editors, and it can also be integrated with various CI/CD pipelines.

The dynamic analytics is efficient. It helps us identify bugs while the app is running. We find that this ability is way better than its competitor.

Our impression of the solution's ability to prevent vulnerable code from going into production is positive. Prior to Veracode, we used to deploy our apps, and it used to be an expensive process to fix the bugs and all the potential vulnerabilities after deployment. Now, we have access to AI. It has AI tools, which have been trained with a lot of data sets. It helps us to detect bugs and fix them.

We use the free access to VeriCloud's application security consulting team. The consulting team has helped us a lot, and we've had positive experiences with the vendors. It is efficient and very fast. It takes less than two or three days, and they always respond positively. They are really fast at solving our problems. It's important for us to have access to an application security consulting team at no extra cost.

We use Veracode's AI-generated fixes. They make fewer errors and are very accurate. We've had a very positive experience. They've saved approximately seven hours of debugging and error finding versus the manual penetration testing process. 

The solution's policy reporting for insurance compliance with industry standards and regulations is very helpful. It's fast as well. The team helps us at every step of the product life cycle. They provide us with very useful visibility into things like static analysis, composition analysis, and manual penetration. It significantly helps us to reduce the time that we have to manually fix the bugs, and it also provides us with an efficient solution for future cases via past analysis through its data algorithm. We've saved six to eight hours compared to manual fixing.

Veracode has had a positive impact on our organization's ability to fix flaws compared to the prior. It has reduced our costs and time, and it has also provided us with multiple security functions. That, and it's made our application a lot more secure. It really helps our devs free up time due to less debugging needed on their part.

The solution has helped us a lot with our overall security posture. Many security features were fixed prior to release, and we've been able to reduce manpower and employee count. We've reduced teams from six or seven people to two or three. 

The integration capabilities with our existing development tools are very good. The integration process was easy. It has stable APIs.

The solution does take a bit more time when we use it for multiple processes. When we use it for a single process, it takes up less time. The cost also goes up when we use it for multiple processes. 

I have been using the solution for six months.

The solution is very stable. We haven't come across any bugs. 

Our security team of three uses the solution. 

It's great for scaling. We can use it on multiple projects which involve multiple security flows.

Technical support has been very fast and efficient. The team helps us at every phase of the development cycle. 

Positive

We did not use a different solution. Previously, we relied on manual testing. 

We deployed the solution in about three months. We had a team of eight working on the implementation. During the process, I was in charge of, IT was in charge of security, and the AI algorithm.

We don't require any maintenance.

Even after six months, we've seen an ROI. In terms of resources, it's great for cost-cutting. It also generally cuts costs by 40%.

The pricing is moderate for particular processes. However, if we take an entire process in general, it can be costly. It's more economical to use it for single purposes instead of generalizing processes. 

Thanks to its algorithm, Veracode is an on-demand service that can be very cost-effective. With so many features, we no longer require many people to test.  

If they are worried about pricing, people should try out their demo feature, which is available online. That way, they can demo and evaluate how it would work for them. If it works for their team and product, they may find it can optimize their processes. Of course, it depends on the use case. 

I'd advise colleagues considering Veracode to evaluate the specific requirements for their application and do an in-depth analysis. I would recommend it as a product.

I'd rate the solution ten out of ten. 

We have some applications that connect to external providers or provide external services that users can access from the public internet. We are uploading these applications to Veracode to assess the security threats that our code may pose.

Veracode's analytical capabilities are very good, but I'm not sure if they have prevented security vulnerabilities from going into production in our case because we haven't been using them optimally. We're now working on integrating them into our development pipeline so that we can test applications before they're released. This will also allow us to familiarize ourselves with the sandboxes during development. I believe that if we start using Veracode correctly, it will be very beneficial in preventing security vulnerabilities from going live.

The main benefit of Veracode is the software composition analysis because it helped us identify that we were using some libraries with security flaws. This is important because the individual software components are owned by different smaller teams, and all of those teams contribute to one overall large application. Therefore, there is no single person who would be able to take care of all of the third-party libraries that we are using. Veracode analyzing the libraries that we use is therefore beneficial to us.

Veracode's policy reporting for insurance compliance depends on how our organization uses it. I'm not sure if we're using it to the best of our ability because, for example, I discovered that there is a central space where we can run analysis and sandboxes. Based on what the Veracode expert I spoke to told me, policies should be reported from the danger space, but in our organization, we're reporting them from the Prod CI sandbox. This doesn't seem to be a good solution because the overall application is displayed on the main page, which doesn't reflect what our compliance teams think about our applications. Besides that, I think it comes down to how we're using Veracode within our firm. Overall, I think it's great that the firm can configure certain policies to monitor applications, and the flaw report also enables us to see the flaws that need to be fixed to become compliant, which is a good feature. From Veracode's perspective, everything looks fine.

Over the past year, we discovered a severe security flaw in Lot 4j 1.2.15. We initially believed that this version had been replaced with a newer version that does not have the flaw, but our software composition analysis reports revealed that this is not the case. We still have a few binaries that depend on Lot 4j 1.2.15, which is vulnerable. The software composition analysis results prompted us to schedule a replacement with a new version, which is currently underway.

Veracode has helped us fix flaws effectively. Our security teams enforce monitoring and fix deadlines for reported flaws. If a reported flaw cannot be accepted as a false positive, we must fix it promptly to maintain a high success rate.

Veracode has improved our security posture and will continue to do so as we learn to use the solution more effectively.

I like the way the flaws are reported in the system. It is quite clearly visible where the flaw is coming from, and it is possible to upload the code to see exactly which line was identified as a security threat. I also like the software composition analysis that Veracode provides, because we can see third-party libraries that are used in our software and check if there are any known security flaws in those libraries.

There are many false positives, especially one particular type: reported hard-coded passwords in the code. We do not have hard-coded passwords in our code, but we are using third-party libraries that have variables with passwords in their names. For example, a variable might be named "passwordForCommonFixFile" or "passwordForSecurityStore." Veracode's keyword analysis probably assesses these variables as hard-coded passwords. This is problematic because the false positives are coming from third-party libraries, and we cannot easily check the flaws to see if they are false positives. To fix the problem, we have to compile the code, which we should not have to do. We are forced to accept the false positives because we know from the software and system design that there cannot be hard-coded passwords in the third-party libraries we are using. If the libraries were generic, then there would be no chance that they would have hard-coded passwords for the specific services that we are connecting to. To reschedule the scan, we have to go through some bureaucracy. 

Despite the presence of many false positives, we remain confident in Veracode. However, the impact on developer confidence is negative, as it leads to resistance to enforcing certain development processes, including the use of Veracode in the development pipeline. This is understandable, given the complexity of the process required to reschedule the flaw for a single false positive. This process requires approval from the system owner, a senior manager, and the cybersecurity team.

Veracode has increased the work time of our developers because of the false positives.

The area with the most room for improvement is the speed and responsiveness of the query, as it is usually very slow. I am not sure if there is a specific space allocated for us that can cause this, but when I open an application and want to click through multiple scans to see the differences, or if I want to do anything else, everything loads very slowly. This makes it much less user-friendly to play around with the GUI and explore the features.

I have been using Veracode for three months.

Veracode is stable but a bit slow.

I have only one experience with Veracode support, but it was very positive. I used the schedule consultation feature in the GUI, which was very useful. We had some questions about how to correctly upload a code, and I was able to schedule a call with a Veracode expert. The support person who helped me provided me with many insights, answered all of my questions, and even went beyond what I asked to explain how to use the feature and improve our process.

Positive

The initial deployment is complex because our system is huge, consisting of hundreds of different binaries. Dozens of teams contribute to the releases, and as a result, a large number of changes are deployed at the same time. This makes it very easy to break something, and there are many people involved in the process.

The deployment required a core team of five, with some additional people on hand to support if anything went wrong. The maximum time for deployment was one day.

I give Veracode a seven out of ten due to the slow speed and the false positives.

We only use Veracode for static analysis. We do not use the other features at all.

We have infrastructure deployed in multiple locations around the world. In my team, 50 people use Veracode. Across the entire organization, it is used by hundreds, if not thousands, of users.

I advise everyone to use Veracode in their development pipelines, so that scans can run very frequently, at least once during each nightly build. This will ensure that reports and flaws are addressed effectively. From my development perspective, I recommend against enforcing specific rules on using Veracode, giving deadlines to fix flaws, or introducing additional bureaucracy. This can worsen the developer experience and lead to developers finding ways to avoid having flaws reported, such as by decreasing the frequency of scans. In my opinion, the more processes and bureaucracy we add, the less useful Veracode will be. 

As a full-stack developer, I am also involved with DebOps tasks. When deploying to different environments, we have stages that must be passed as part of DevOps. One of the primary stages that must be passed while deploying to Jenkins is Veracode Analysis. We also have SonarQube analysis, which typically checks code quality, code coverage, and other aspects, such as whether there are any bots or vulnerabilities. Once the code quality test is passed, it enters Veracode analysis. During Veracode analysis, the code is checked for vulnerabilities. Veracode also checks to see if any outdated jobs are being used in the code and suggests better versions to use. All of this information is clearly displayed in the Veracode analysis results. Veracode is linked to JFrog Artifactory, which is a repository of all the jobs available on the market. Veracode uses this information to choose which jobs to use and which jobs to fix. Veracode also explains the possible errors in the code.

We do not receive many threats. The threats are very minimal. Therefore, I have never been in a situation where Veracode had to save me from vulnerable code entering production. However, it is still helpful for us and our managers to access our code to see what is happening and what can be improved using Veracode.

Veracode is constantly being updated and improved. I started using it in October 2022, and at first, we didn't receive much training on it. As a result, we struggled to understand its features at first. However, after some interface changes, I found it easier to catch up. After six months or so, we were able to easily identify and understand what was happening. We use SBOM, and I believe that Veracode is improving significantly in its ability to assess specific vulnerabilities. For example, they are now trying to identify SQL-related injections as well. This is something that I appreciate.

The policy reporting ensures compliance with industry standards and regulations. It also provides a detailed report with multiple options. We can easily generate a report of four to ten pages, or even a one-page report. I really like the way Veracode generates reports on assessments. It's my favorite feature.

It provides visibility into application status at every phase of development, but we must manually scan applications to check the assessment for a specific application or after deploying it to a particular environment. I think they can change this so it automatically scans for us.

The false positive rate is low.

Veracode has improved our organization's ability to fix flaws, and fixing vulnerabilities has sometimes required us to develop new features. This has actually helped us and made our applications better.

It has helped our developers save a lot of time. Jobs are constantly changing and upgrading, Veracode allows us to easily assess the security of our jobs in 10-15 minutes, instead of 40-60 minutes.

Veracode helps us improve our security posture. Once we identify and fix the vulnerabilities Veracode finds, we no longer face any threats.

The feature I like most in Veracode is that it clearly specifies the line in the entire file where a vulnerability is found. For example, if there is a vulnerability on line 32 of the demo.java file, Veracode will clearly state that and also tell me the severity of the threat, such as moderate, high, or very high.

The interface is basic and has room for improvement.

The main problem I have faced with Veracode is that it does not integrate well with JFrog Artifactory, the repository where all our jobs are stored. This means that sometimes jobs are not reflected in the Veracode report, which is a major drawback.

We have a Maven repository provided by Maven itself, which is widely used by all developers. It is the heart of these jobs, and every detail is available in the jobs. So when Veracode says that a specific job is not vulnerable, but the Maven repository says that it is, I don't think Veracode is updated daily. This is a problem because if I fix the job, taking two to three hours to do so, and then Veracode is updated two weeks later and linked to the Maven repository again, Veracode may show that the job is no longer vulnerable. This is a threat, as it wastes a lot of time for developers. As developers, we usually have deadlines to meet for moving to particular environments, such as UAT or production. Veracode is wasting our efforts by not being updated daily.

I have been using Veracode for one year.

The stability can be improved. There are times when we don't see our applications and have to ask a Veracode support person to add them.

Veracode is scalable, and we have not had any issues with the Microsoft and Solar components that we use. It has always worked seamlessly, and we have the ability to scale up to 15 components on our end.

We only had to use the technical support once and it was fine.

Neutral

I would rate Veracode eight out of ten.

There is minimal maintenance required from developers. The infrastructure team will take care of it. So, let's say there is one application, four microservice components, and six flow components. In that case, two members can easily maintain the Veracode platform.

I am one of five member developers from India who are using Veracode. We also have locations in Spain, Mexico, and London.

I recommend Veracode for organizations that are not in the cloud and still working on-premises. 

We use Veracode mainly for identifying any vulnerabilities in the software. We do a lot of development, and before we deploy any product to our client environment, we want to make sure there are no vulnerabilities in the code and also follow best practices. 

We run scans to identify the criticality of these bugs and vulnerabilities, and we try to mitigate them. If it's not possible, we get an exception. At least we are aware of the vulnerabilities in our code, making sure our code is secure and not exposed to any threats like hacking.

In my organization, we have a policy in place. Every company has a different policy; at least our company has specific requirements where we expect everyone to build the tool or the software to some extent, following some best practices. 

Veracode helps us embed those policies into the scan. When we run the scan, the administrators have already set the policy, defining what needs to be checked and what can be ignored. It helps us when we run the scan because it provides a score based on the policy level. This score certifies how well the tool has scanned the code. 

We can then show this certification to demonstrate that the product meets the required standards and can be trusted without any issues. So, we are working with the solutions policy reporting to ensure compliance with the industry standard.

For our product, we use static analysis. We're not using any agent-based solutions, but we are planning to hook it into the CI/CD pipeline in the future.

Veracode has been helpful because, in the past, we used to integrate Veracode scanning into our CI/CD pipeline. Sometimes, what happens is a junior developer sees a third-party library and thinks, "Oh, this tool is helpful," and they bring it into our system to build something.

However, even if it's a third-party tool, we don't know what vulnerabilities that code may have. At least now, whenever we push code, Veracode can catch any vulnerabilities, and if it fails our build, it prevents us from deploying that code into our environment. It clearly states, "This code has a vulnerability; I can't deploy it." So, it effectively blocks us from deploying risky or vulnerable code in our tool. It helps us quickly assess the risk of third-party tools and take action promptly instead of building something and realizing two months later that we need to go back and fix it. That's not going to happen; we can identify and resolve issues within a day.

The tool is great in terms of ensuring our code is clean, recommending best practices, and capturing the flaws in third-party components.

Veracode has an impact on our organization's overall security posture. Because when we do development for internal purposes, we don't run a Veracode scan very often. But when we work in a client environment, if they want us to build something for them, we absolutely need to ensure that we haven't introduced any flaws or problematic code into their system.

Veracode helps us maintain the reputation and branding of our company, which is crucial for us. It's important to ensure the code is free from vulnerabilities and not exposed to hacks. It is very important to us.

The most valuable feature is Veracode SDP, which allows for something related to third-party vulnerabilities. When we build a product, we use a lot of third-party libraries instead of building everything from scratch. We just use a library which has already been built; we just use that component in our product. Sometimes, these libraries may have bugs or issues, and it's hard to keep track of them because we use thousands of them.

Veracode's tool scans every single library and gives a dashboard showing the number of libraries, high and low criticality issues, and whether a product has any issues. It helps us assess the libraries and decide whether to resolve the issues or replace the library to minimize risks.

I like the solution's ability to prevent vulnerable code from going into production. It does a pretty good job in most cases, but I have seen a few false positives in the code scan. It means that sometimes, like recently, we run a scan where we encounter a part of JavaScript code where it's just a string evaluation. Despite not posing any real threat, the system flagged it as a potential vulnerability, suggesting it could be exploited to hack into the system. We looked into that code and found it wasn't the case; it was a false positive. It wasn't a big issue because we reported it to Veracode, and they made an exception and resolved it. It does a pretty good job, but sometimes it can be very misleading.

However, the solution's false positive is not a big deal because it's very minimal. Veracode does a very good job, but 99% of the time, it works well. Only, like, 1% - 2%. Like, sometimes we manage false positives. It's not a big blocker as well. Every software is not perfect. Also, these are very minimal fixes. Sometimes, if we raise a support ticket to mitigate this issue, the response is also pretty good, and it can be resolved within one or two days. So it's not that big of a deal.

One area for improvement is the navigation in the UI. For junior developers or newcomers to the team, it can be confusing. The UI doesn't clearly bundle together certain elements associated with a scan. While running a scan, there are various aspects linked to it, but in the UI, they appear separate. It would be beneficial if they could redesign the UI to make it more intuitive for users.

In future releases, I would like to see some features. For example, there's a library we use as a third-party library. Sometimes, Veracode indicates that we can't use a particular tool because it has a lot of vulnerabilities in the code. It would be nice if Veracode's scan could show an alternative library to use instead of the one flagged as problematic

So instead of us having to go back and research, trying to figure out what other tool we can use as an alternative, if Veracode could provide those recommendations within the tool itself, it would be nice.

I've used the product for almost three to four years, but it's been a while since I haven't used the tool. But I started using this solution again. I started working on it again in the past month.

Veracode is 100% stable. We haven't encountered any issues.

It is a scalable solution. Veracode has a concept called Sandboxes, which is an amazing feature and pretty useful. I can kick off multiple scans, and they all run independently. There's no interference between scans. So, it's highly scalable, and we haven't had any issues with it. It is good.

For our team, we currently use it for two projects.

I've personally interacted with the customer service and support recently for a few issues, and their support is amazing.

Positive

The initial setup is very easy. It's not that complicated.

Moreover, the false positive rate of static analysis can affect the time spent on tuning policies. It took at least one day for me to raise that mitigation and approval ticket to look into it. Veracode needed to spend, like, six to eight hours, which essentially goes up to a day to resolve it.

The solution has 100% helped our developers save time. 100% right now in terms of ensuring the code is good and deploying it safely. Veracode definitely helps us be very confident when we go for product releases. It has helped our developers save time.

As a lead developer, it takes me one or two days to set up everything in Veracode scan. Once it's set up, the junior developers don't need to do a single thing. They just push their code, and they don't even realize that a scan is running in the background. So they don't need to worry about it. However, in terms of readiness for the production release, Veracode definitely helps us be confident and quickly identify the risks. There's a huge benefit in that area.

In the beginning, two or three years back, we were pretty new to Veracode, and we did seek help from the Veracode consulting team. Their support is amazing. If I send an email for any help, they respond within 30 minutes. Their response time is good, and they provide clear guidance.

I've personally interacted with them recently for a few issues, and their support is amazing.

So, initially, we did take consultation when we set it up, but once we became comfortable and familiar with the process and the documentation was also clear, we started managing it ourselves.

For the implementation process, a developer pushes changes to the master branch or a feature branch the first step is to trigger the Veracode scan in the CI/CD pipeline. We use Azure DevOps for this.

The next step is to include the code in the Veracode scan. This is the second step. Before going into further steps like building the Docker image and containerizing the application for deployment, we have a condition in place. If the Veracode scan doesn't complete successfully, we don't proceed to the next step, and the entire build fails.

We don't need a lot of members for the deployment part. It's only me and my technical expertise, like, one or two people. Any DevOps is enough.

We don't see much need for maintenance. It's pretty easy to manage. Veracode is also maintained by a dedicated team internally, and they provide support for everyone within the organization. So, if there are any upgrades or maintenance required, they take care of it. But from our team's perspective, there's no need for ongoing maintenance. We set it up once, and that's it.

The solution reduced the cost of the development setups for your organization. It is a key feature of Veracode. Once you set it up for the first time and integrate your CI/CD pipeline with our DevOps cycle and the Veracode scan, it takes two or three days to set it up initially. 

But after that, it's a one-time effort. You don't need to do anything further. You need to kick off the pipeline, and it runs the scans automatically, providing artifacts for you to review in the report. So it helps in the long run. Once you have your project set up correctly, there's no need for manual intervention at all once it's hooked up. It's a significant long-term benefit.

We have a dedicated team that handles research, but I personally have only used Veracode for scanning. Our team used to use SonarQube.

Our company used to run both Veracode and SonarQube scans for certain projects. Sometimes, some of the scans were not included in Veracode, so the team used SonarQube for those. However, this was quite a while ago, about two years back.

I would suggest starting Veracode scans at the earliest stage of development. It's crucial to catch vulnerabilities and risks early on so you don't invest too much time building something only to realize later that it can't be used due to a lot of issues, especially with third-party components. Using these tools as early as possible will benefit you in the long run and allow you to ship your product more quickly.

Overall, I would rate the solution a nine out of ten.

I have implemented Veracode for both static and dynamic analysis to minimize errors in my application and avoid the need for manual reviews. This enables us to create a risk-free application in the code. Additionally, I utilize external libraries and licensing to accelerate the process of identifying vulnerabilities in my software development. This helps me and the development team to provide comprehensive information about the code.

Veracode's capability to prevent the deployment of vulnerable code is impressive. It allows for quick detection of defects during the development cycle, leading to faster release of improved code, and ultimately ensuring that our product is free of vulnerabilities. This feature is a great advantage for our organization.

SBOM is beneficial as it enables us to verify software licensing through static scanning. This helps ensure that the product we provide in the market is compliant with industry standards and user needs. In my opinion, this is a fantastic feature.

Creating a report is easy when using a sample template that we can relate to. If we know what kind of data we want to include and how we want it to be presented, the process of creating a report can be completed quickly.

The main advantage of using Veracode is the assurance that we are developing stable, secure, and fast solutions that are free of risks. This provides us with a clear picture of our progress toward our goals. Veracode helps our developers by providing remedial action and reports in various formats, ranging from summary to detailed. This allows us to customize our reports and share visually appealing reports with the team.

Having visibility into the status of our applications at every phase of development throughout the software development cycle enhances our DevOps productivity and ensures a stable solution.

The false positive rate is valuable. The benefit is that the false positive results provide our developers with a clear understanding of their proficiency level in development. However, the drawback is that during fast penetration or testing, they may receive alerts that can cause frustration. Additionally, if they perform another test, the previous alert may not appear again, making it difficult to address the issue. Overall, I believe that false positives can boost our developers' confidence in their abilities to a certain degree.

The false positives identified through static analysis have been beneficial in saving us time. Due to our use of advanced tools and record-keeping practices, we have been able to streamline processes such as data importing, which may have otherwise required local or manual methods. This has resulted in significant cost and time savings for our team. With the ability to work remotely using tools like Veracode, we are able to provide effective reporting and management for all software applications.

Veracode has been a time-saver for our developers by enabling those with different programming languages and skills to collaborate and develop stable solutions together. As a result, we are able to save some time.

Our overall security posture has been positively impacted by Veracode. We are confident that our solutions are highly secure for our clients and stakeholders. With Veracode's assistance, we ensure that our applications and software are free from bad code and other vulnerabilities. By troubleshooting alerts, we prevent abnormal codes from reaching production, creating stable and secure solutions. Veracode helps ensure social sustainability during the UAT process before we release the final product to consumers, resulting in a highly secure end product. Veracode has enabled us to offer a stable and trusted solution that fosters transparency between our company and the end-users, supporting their needs and activities.

Veracode reduced the cost of our DevSecOps by allowing us to use a single tool that can be operated by a small team of developers. We saved around $1,500 USD using Veracode.

I believe that testing code early on is always beneficial, and using UI saves time by detecting issues in the flow before the release cycle through verification scanning. Additionally, I appreciate the integration provided by Veracode that seamlessly integrates with our CI/CD tools and allows us to integrate with IPA as well. Overall, I'm impressed with the integration and user interface.

Veracode can be slow at times and has room for improvement, which may cause delays in our products and prolonged static scans. However, we can run these scans in the background to minimize disruptions. Static scanning can be a slow process that requires some time.

The cost and scalability also have room for improvement.

I have been using the solution for three years.

Veracode has no downtime and is highly stable.

The scalability is neutral because it lacks some integration. We have 12 end-users within our software and engineering departments.

The technical support is responsive and helps us resolve our issues quickly.

Positive

The initial setup is straightforward. I deployed the solution myself.

The implementation was completed in-house.

Veracode assists us in increasing our sales by allowing us to redirect the funds that would have been used to pay our ex-pats to troubleshoot errors or issues with vulnerable code. Consequently, we are experiencing a higher return on investment, and our company has generated over 55 percent return on investment since implementing Veracode.

The pricing for Veracode is high, making it difficult for beginners to afford. Whether or not Veracode is a viable option may depend on the specific needs and use cases of the user, as it may not be affordable for small businesses.

Veracode is costly, which makes it unsuitable for small organizations. However, if an organization has the budget for the solution, it is worth investing in.

I give the solution a seven out of ten.

I believe that it is a wise decision to test our code to ensure its security. Utilizing Veracode is a beneficial practice as it examines our code and provides recommendations on areas that require improvement. This ultimately results in a stable solution. However, I advise using Veracode only if the business has the budget for it, as it can be expensive. Any organization that chooses to use Veracode, can be confident in the quality of its solution but must be prepared for the associated costs.

We use Veracode for application scanning.

Veracode is able to prevent vulnerable code from going into production.

Veracode has helped us to identify the vulnerable code in our applications before we put them into production.

The solution allows us to ensure compliance with standards and regulations.

Veracode provides visibility into the application status at every phase of development which makes it easier for our DevSecOps to do their jobs.

I give a nine out of ten for Veracode's ability to identify false positives. The false positive rate has increased our developer's confidence.

Veracode has enhanced our capability to address flaws by identifying bugs that may not have been detected through static analysis data.

Veracode has had a positive impact on our organization by providing us with greater insight into our data.

Veracode helps our developers save approximately ten percent of their time by detecting code issues and enabling them to promptly fix bugs before releasing the information into production.

Veracode helps secure our private data which improves our overall security posture.

Being able to scan our applications and identify all codes and defects is an extremely valuable feature.

Scanning large amounts of code can be a time-consuming process and there is scope for improvement.

I have been using the solution for nine months.

Veracode is stable.

Veracode is scalable. We have between 300 to 500 users.

The technical support is responsive.

Positive

We previously used some open source solutions and the management teams decided to switch over to Veracode.

I give the solution an eight out of ten.

We have Veracode deployed in multiple locations.

Maintenance is only required when updating the solution.

You should evaluate multiple solutions, but I suggest considering Veracode if it aligns with the organization's requirements.

Our primary uses are for reviews of our code and overall software environment, bug fixes, and detection of security flaws.  

We use the solution across multiple locations and regions, including Asia Pacific, EMEA, and North America. Our user base consists of 5200 individuals. 

The solution has given us real results when it comes to improving our overall security posture; it provides the best security and reports, indicates any flaws that may be present, and allows us to take steps to rectify them. The tool is now a part of our DevSecOps, and we truly rely on it.  

Regarding our ability to fix flaws, Veracode is very helpful; it provides a sense of confidence to our developers and a summary of reports that we can share with stakeholders such as our clients and senior management. The solution identifies security loopholes and gives us detailed feedback reports, allowing us to take action to remedy our security vulnerabilities. 

Veracode helped our developers save time; two or three development team members were previously dedicated to code security. By automating this task using the solution, those developers can reallocate their time to core software development, which is an excellent result. The time saved is in the region of 25%.   

Static Analysis' false positive rate positively affected time and costs related to tuning, leveraging data, and machine learning. Tuning data is essential as it gives us update optimization within our database, which is helpful for any organization. Veracode is the industry leader in being a one-stop shop security solution; it takes care of every aspect.  

The user interface is excellent, the code review process is quick and provides great analytics to understand our code better, and the SAST scan is high-speed.

Veracode is excellent at preventing vulnerable code from going into production; the scans are speedy and give us a detailed analysis of our code. 

We use the Software Bill of Materials feature; it's essential and advantageous. We can't do a bill of materials manually, so it's excellent that Veracode provides this. SBOM helps us manage our risks, as every company has software that needs to be run appropriately throughout the user and client base. It's necessary to have a security audit or security compliance in such applications, and Veracode enables this functionality so we can easily identify security flaws and take measurable action.

Creating a report using the SBOM feature is straightforward, and it's important to our organization because it provides a return on our investment. Previously, we sometimes required a third-party resource to create reports, but with Veracode, it's easier to take care of that on our end.  

The solution's policy reporting allows us to set our standards, group policies, and regulations, so ensuring code compliance is part of its analysis. Veracode notifies us if any flaws are detected, allowing us to take action to correct them.  

The solution provides visibility into application status at every development phase throughout the SDLC; we can use Veracode during the development, design, testing, and implementation phases. We can easily analyze our code before commencing large production deployments and fix any issues.   

Sometimes we get a lot of false positives even after configuring our policies, so that could be improved.

There is an issue where the UI occasionally breaks in between uses of the application, which can be improved. The UI could also be more catchy for the benefit of the less technical users. 

It would be good if the configuration of dynamic scanning could be less complex.

We've been using the solution for over three years. 

The solution is stable. It wasn't before, as different organizations required new group policies and configurations. The product has yet to mature fully but has developed enough to adopt a stable position in the market.

The solution is as scalable as required, but we must pay for that. 

The technical support is good; I rate them nine out of ten.

Positive

We previously used some open-source software, but our developers generally manually performed code-checking. Our requirement is for a solution that takes care of our software code and security throughout the SDLC. Following evaluation, we found Veracode more useful in terms of licensing, pricing, and features.

The initial setup was straightforward; it took seven to ten days, including gathering all requirements, overall deployment, and the final implementation. The deployment team consisted of four to five members. 

The product doesn't require any maintenance; operations and support are primarily handled by Veracode, as it's a fully managed service. 

We have seen an ROI with Veracode regarding time, money, and overall organization reports. Our ROI is in the region of 25-30%.

The solution reduced the cost of our DevSecOps by lowering the headcount for those previously dedicated to security throughout the SDLC. They can now spend more time improving their code base and focusing on development.  

The pricing and licensing are reasonable, and relatively straightforward, and different licensing and subscription models are available.

To someone considering Veracode but concerned about the price, it can be a challenge for small and mid-sized organizations, but it's a good choice for larger enterprises. If security is a primary concern for any organization, they should consider Veracode; they won't be disappointed.  

We evaluated GitLab, Micro Focus, and SonarQube. 

I rate the solution nine out of ten. 

Regarding the tool's false positive rate, the analysis is good but can be affected by data and code not supported by Veracode. In these cases, we can experience some challenges, but other than that, the false positive reporting is good. In cases of unsupported code, developer confidence can be affected, as we know there may be some flaws we can't control. If they are minor enough, we can ignore them.

I advise others considering the product to go with it if it fulfills their requirements. Veracode is a tested name in the market for application security and detecting flawed code. They should evaluate other options if they fit the needs better, but I highly recommend Veracode.