Veracode Reviews

We used it for static and dynamic testing to check if there were any vulnerabilities in the code. If there were any vulnerabilities, we would check the report downloaded from the Veracode portal and try to fix the code before deploying it.

Veracode helped me remove errors, and it didn't take a long time to fix any issue because I had an answer regarding where the code needed to be fixed. That feature helped us test our cases and get them deployed. It helped me fix vulnerabilities and any other errors before deployment to the applications.

The SAST and DAST scans—we used it both before code was deployed and after it was deployed—helped us run through the issues and keep track of their status. It was deployed in the pipelines, through Jenkins, and checked the logs in Kubernetes.

The solution also saved us time. I really liked the automatic scanning because there was no way to know where an issue was. Human tendency is to make mistakes, but Veracode helped us find the exact spot where an error was and change it. The reporting helped us do that in a short amount of time.

For our team, it had a very good impact. My manager used to suggest that before taking code to the next level, it was a really good idea to scan it.

I liked that I could easily find out where my errors were. Instead of going through the whole code and the scripts, it showed me where the errors were and gave me an idea of how to fix them.

The reporting was detailed, but there were some things that were missing. It showed us on which line an error was found, but it could have been more detailed.

Also, with upgrades, we had quite a difficult time tracking the reports, so there was some maintenance around that.

I used Veracode for 13 months.

I had a situation that was due to a slow network, and I couldn't get results within a specific time. Because of that, there was a lag in production; we couldn't deploy the code on time. There was a crash, and because of that, we couldn't meet our production deadline.

The downtime happened two or three times. I thought it was due to a network issue when it happened once, but then I came to understand that it was a maintenance issue.

Veracode is really not difficult or complex to understand. The whole concept is simple. It takes some time to get used to the tool, but it is a very simple tool to work with.

It was quite fast. Scanning my code took 25 to 30 minutes, which was quite good.

We use Veracode to identify and detect security vulnerabilities in our applications before they are uploaded, deployed, or used. This gives us greater confidence in the security of our applications, which leads to positive feedback from our clients.

The solution's ability to prevent vulnerable code from going into production is a good thing because we have not upgraded to detect any variable code before deployment. Therefore, it is a good way to start our campaign.

Using SBOM to manage risks is straightforward and faster because it does not require technical skills. This makes it easy and straightforward to implement and use to prevent vulnerabilities and ensure compliance with any policy in any industry. Creating reports using SBOM is easy.

Veracode is helping us by providing alerts to ensure that we are providing a good application that does not have security vulnerabilities. This means that any client using our application or software can be confident that it is stable, secure, and risk-free. As a result, our organization is benefiting from cost savings and increased sales.

Veracode's policy reporting for enabling compliance with industry standards and regulations can be a bit complex for beginners, but it is much easier and quicker for experienced users.

Veracode provides visibility into application status throughout the development process. It is easy to understand the severity of a threat, thanks to their clear and concise documentation. This documentation can be used to understand code, security, vulnerabilities, and project management. Veracode also helps ensure compliance with all industry standards.

Veracode's visibility helps our DevSecOps team because it supports multiple programming languages. This means that teams with different programming languages can use Veracode to remotely collaborate and develop a stable solution. As a result, our developer team is not affected and can continue to provide high-quality, bug-free products on time, which is beneficial to our current and future clients.

Veracode's false positive rate is low.

Veracode's low false positive rate increases our developers' confidence. Some developers may have used a different solution in the past or may have had a different experience with another vendor. Therefore, I believe that initially, they may not be confident in Veracode when some vulnerable code is found in their primary code. This can sometimes make them feel unprofessional, but ultimately, since we are using a professional solution, their confidence will grow and become positive. This is because they will realize that if this code has vulnerabilities, the next time they release a project or application, they need to be very transparent and careful to avoid any problems. Therefore, the initial confidence may be shaken, but as developers get used to Veracode, it becomes much easier and their confidence in developing improves.

Regarding time, static analysis's false positive rate has reduced the amount of time we would have spent using other solutions or the cost of using a high-tech team to do it. Additionally, the cost of accessing running machines in this era is quite expensive. However, if we have the opportunity to use Veracode with its multiple features, I think it is a very good setting for any company during the learning process of using machines.

With Veracode, we can perform multiple scans simultaneously in different programming languages. This is different from other solutions, where we would manually or independently scan each application or programming language. Veracode allows us to scan more quickly and easily. The time it takes to detect flaws in the code is not comparable to the previous solution, because Veracode speeds up the process and makes it easier to create reports. We can share these reports with other developers to create free call-to-action campaigns and improve the user experience. By the time we deploy our applications, we can be confident that they are secure.

Veracode helped our developers save time by providing a solution that can be integrated with other IDEs, such as Visual Studio Code. This allows developers to use a tool that they are familiar with and that is readily available. This, in turn, helps them to develop faster because the interactivity tools support every programming language. This means that developers do not have to create a lot of code before they can start using Veracode. Instead, they can focus on adding more logic and functionality to their code. Veracode can then help them to test and secure their code more quickly. Overall, Veracode has helped our developers save an average of 30 percent of the time they would have otherwise spent on security testing.

Veracode has had a positive impact on our security posture. We are now able to create secure and stable solutions more quickly because of their transparency, speed, and visibility.

Veracode reduced the cost of our DevSecOps by around eight percent.

Veracode is very easy to use. I use it to scan my Java Micro Service, and it is easy to configure. It does not require any software to be installed, and it can access data files and scan them quickly. This makes it very user-friendly.

Scanning progress is highly dependent on the speed of the Internet. This can create confusion about the completion of scanning tasks. For example, a static scan may detect all vulnerabilities during a single scan, but when static scanning is disabled, some vulnerabilities may be detected during one scan, but not during the next scan or a subsequent scan. This inconsistency can make it difficult to track vulnerabilities. Additionally, The solution does not make it easy to mitigate vulnerabilities that are not detected by static scanning.

The price of the solution has room for improvement.

I have been using Veracode for three years.

Veracode is stable as long as we have a good internet connection. The stability of Veracode is based on the internet speed.

Veracode is scalable. We use Veracode in multiple departments. Ten people in our organization use the solution.

The initial deployment was straightforward and took two of us five days to complete the deployment.

We implemented the solution in-house.

With Veracode, we are developing more secure, scalable, and stable applications on a faster track. Our clients know that they can trust us to deliver secure applications that meet their expectations. This led to increased sales, even though our products are priced higher than our competitors. We are able to charge a premium because our products meet the Swedish standard for security, compliance, and risk. As a result, we have seen a 65 percent return on investment.

Veracode is expensive.

I give Veracode an eight out of ten.

Veracode is not a cost-effective solution for small businesses, but it is a good solution for medium and enterprise businesses.

Veracode does not require any maintenance.

I recommend Veracode to organizations that need a static code security analysis. Veracode is simple to understand and supports all programming languages.

I use Veracode to ensure the projects I deliver don't have vulnerabilities. 

Veracode provides insight into vulnerabilities at every stage, so your team can progress through the development cycle more efficiently. It improves developer confidence by showing us our capabilities and the potential of our code. 

Our developers improve and become more efficient using Veracode. Once we identify issues in our code, it's much easier to avoid the same mistakes in future projects. It teaches them how to overcome those vulnerabilities and errors while reducing costs.

Veracode saves a lot of time compared to traditional methods for identifying vulnerabilities. We save around $500 a month using Veracode because we don't need to hire experts. 

Veracode has improved our overall security posture. We feel assured that applications we deliver to clients or use internally are highly secure. It has helped us develop strategies to create stable, secure platforms.

I like the static scanning, and Veracode's interface is excellent. The dashboard is easy to navigate. I love the Software Bill of Materials (SBOM) feature because it helps you explore various industries and understand what to do to minimize risks and maintain compliance. It's straightforward and ensures my applications are compliant. 

It's easy to create reports using the SBOM feature because it has templates that you can customize depending on the reporting requirements. It gives me a report of the compliance requirements for any industry. It helps us internally and improves the services we provide to our clients.

Veracode is great for preventing vulnerable code from going into production because it covers various programming languages like JavaScript and PHP. You can be confident that your code is secure no matter which language you use.

Static scanning takes a long time, so you need to patiently wait for the scan to achieve. I also think the software could be more accurate. It isn't 100 percent, so you shouldn't completely rely on Veracode. You need to manually verify its findings. 

I've used Veracode for three years.

Veracode is stable. I've been working with it for a long time. 

I rate Veracode support 10 out of 10. They're friendly and responsive. 

Positive

Deploying Veracode is straightforward. I did it with one other colleague. 

We can afford Veracode, but it's too expensive for small enterprises. If you're concerned about the price, you should weigh the benefits you can achieve. It has saved us a lot of money on DevOps. We save about $500 a month by not outsourcing this work to experts.  

I rate Veracode eight out of 10.

It's an excellent product for developing a secure platform that will benefit your company and its customers while helping you build a sustainable development team. Before implementing Veracode, you need to prepare and have at least one person who understands how to use the product. 

In my previous company, we had a healthcare app. We used Veracode to run a spontaneous static analysis as well as dynamic analysis, to resolve our vulnerabilities. We were releasing versions every month. Each month we were looking at the results of Veracode and fixing the problems.

It helps fix a lot of flaws and bugs. As a developer, you look at things with a different perspective with the Veracode results. You can see that certain things can be implemented in another way, how they can be more secure. As a result, it helps improve your level of understanding and decrease the number of production issues.

Using Veracode, it was very interesting to see the difference when I compared things over a three-month timeline. During the initial three months, when I started using Veracode, I found the percentage rate of flaws was around 60 to 70 percent in the entire file we were uploading. After using Veracode over the next three months, our score decreased to a 30 to 40 percent flaw rate. We were able to do our quarterly development in a very secure way.

For example, we recently encountered a flaw that might be exploited. We implemented a function to store passwords that were encrypted. That functionality was written in a pretty vulnerable manner. By looking at the code, we could see, "Okay, this might be exploited." But when Veracode pointed out multiple times, "This might be vulnerable," and "This might be vulnerable," it helped us improve our developer standards. It gave us a brief idea of how this particular code implementation could be improved.

There is also a feature called Veracode Pipeline Scan which provides instantaneous feedback. That was a major addition to our process and has worked out very well. Developers get instant feedback about their flaws, making them easy to fix while in pre-production. That is one of the major boosts that we have implemented. It enables our developers to fix things in parallel, and that has saved time, about 20 to 25 percent, and resulted in better coding. As a security guy, I can see the differences between the initial processes and the processes we have six to eight months after implementing Veracode Pipeline Scan and Veracode in general. 

Overall, it has reduced the time that we used to spend working manually to pinpoint the issues that we found. Veracode makes it an automated process. Also, we can use it in parallel. If Veracode is the main "hub," we can have "sub-hubs" such as static analysis and Veracode Pipeline Scans. Both can be done simultaneously, reducing the manpower required by a lot, and providing correct results. And it has improved our understanding of the different kinds of flaws and vulnerabilities that are in the report. Veracode, as a tool, has made things better.

In terms of security posture, when I had just joined my previous organization, there was a meeting about client feedback. Initially, their comments were that things were not very stable. They said it was easy to steal data. After using Veracode, and as our developers adapted the tool and developed secure code, the client's feedback was that things were pretty stable and good. At first, the feedback was very ruthless. We were not up to security standards. But once we started using Veracode, it became the main pillar of our security. We overcame certain challenges and the client feedback was pretty good.

It yields around 90 percent accurate results. It pinpoints the errors. Its accuracy is very interesting. It also elaborates on flaws, meaning it provides you with details about what is valid or not and how something can be fixed.

Another valuable feature is in the dynamic analysis, which provides information on which libraries are outdated so that we can improve them and get them up to date. We found a lot of outdated libraries in use in our organization. As a result, it has improved our stability. The software composition analysis keeps you updated on each kind of data it reports on, including libraries and third-party DLLs.

There is a sandbox limit of 10 so any company using Veracode needs to plan for only having those 10 sandboxes. If they increased that to 25 or 30, the scan time would decrease and the results should be more effective.

There is also a size limit of 100 MB so we cannot upload files that are larger than that. That could be improved. 

Also, the duration of the scan is a bit too long.

I used Veracode in my previous company but recently changed to a new company. Overall, I have used it for around 1.5 years.

Its stability is fine. On a scale of one to 10, I would give it a seven for stability.

It's a scalable solution.

We have it implemented in two offices, the main office in the US and a single office in India. There are only 10 to 12 people using it in our organization, meaning in India. I am not aware of how many users there are in the US.

Their support team needs to respond in less time. It takes a lot of time for them to respond. When we reach out, we are waiting, most of the time, for two or three weeks to get a reply from them. That is the one major piece of feedback I have for Veracode.

Their technical support is very good, except for the response time. When we are stuck with something technical, they explain how to use it in multiple ways. They are supportive and that is pretty good.

Neutral

We were using a couple of other tools along with Veracode. One was SonarQube and the other was Acunetix.

The false positive rate is pretty low. When I started using Veracode, there were a lot of false positives, but that number became notably smaller. There are some false positives because new types of flaws are generated for each new version.

Initially, in general, whenever you see any kind of false positives or true negatives, it reduces your confidence. But whenever the reports are generated by Veracode, as developers we can understand that they show certain patterns of what might be a false positive. So we get an idea that this kind of a flaw might be a false positive while this kind might not be a false positive. We get clarity about the reports sent by Veracode. At a certain point, we might be sure that we can explain all the false positive data to management so that they can look into them and understand: If this kind of data or this kind of code flaw comes up, it is a false positive. We can easily associate these scenarios with false positives because they are normal and common.

During the initial phase, false positives affect our time because we can't deduce any conclusions. Static analysis is the kind of process in which you will encounter false positives in certain cases. But after a couple of implementations of machine learning, the results should be pretty accurate and the false positives should decrease.

Preventive maintenance is critical. Per my experience with Veracode, there are certain maintenance issues, but they are the normal types of things.

I would highly recommend Veracode, but initially, don't do a deep dive into the tool. Take a couple of licenses to start adapting to the tool and work out how it works and whether it's suitable for your development processes and developers, and get their feedback. I highly recommend it because it's a real time-saver, provides stability, and improves your organization's productivity.

I use Veracode for static and dynamic analysis.

Veracode supports a broad range of code technologies, and it can analyze large applications. Fortify takes a long time and may not be able to generate the report for larger applications. We don't have these constraints with Veracode.

I've been using Veracode for four or five years.

We have about 230 users. 

We've raised a few tickets with Veracode support. Sometimes, their frontline support can resolve the issue, but we may need to escalate it and get their global team involved. The problem is usually resolved in a couple of days. Overall, support is not a concern. It's fine.

Veracode is an easy-to-use browser-based solution. It isn't a standalone product like Fortify, so there's no installation. You put in the credentials and start the scan. 

While Veracode is way ahead of its competitors on Gartner Magic Quadrant, it's a bit more expensive than Fortify. It's a good solution for the cost, but if we had a high budget, we would go with Checkmarx, which is much better than Veracode. 

Veracode and Micro Focus Fortify SSC are both making progress. Fortify's cloud-on-demand model is an improvement over the past. Both solutions handle the analysis part well, but Fortify needs to improve a lot of things. For one, Micro Focus Fortify hasn't been updated in a long time. They acquired the solution from HP long back, but I haven't seen much improvement. 

Veracode's browser-based solution doesn't have cloud-on-demand functionality. You only need to give consent once on Veracode's access URL, but Micro Focus requires another consent for Dynamic Application testing for WebInspect server, so we need to use SQL Server Express for the WebInspect server. 

We have some difficulties in a SQL Server because a client might not be able to install that in their environment. We may be able to install WebInspect, but we face some challenges dealing with SQL Server Express and other dependents. We have issues with those other supported plugins, libraries, or framework installation parts.

I rate Veracode Static Analysis eight out of 10. I recommend Veracode over Micro Focus. Some companies prefer Micro Focus because they can get a discount and buy it for less than the market price. That's the only reason to use Micro Focus. Otherwise, I don't think Micro Focus can compete with Veracode.

We decided to begin a partnership with Veracode, so we can improve our services and provide the customers that trust us with a platform capable to report vulnerabilities and also delegate and keep tracking of the remediation until the applications score 100% on stability before they go to production.

• Customer and professional support
• Live sessions and training
• The coverage of the last vulnerabilities reported
• The coverage of the programming languages

• To be able to upload source codes without being compiled. That’s one feature that drives us to see other sources.

Compiled code means that the code written is stored in binaries for machine reading only. Veracode reads only those binaries (compiled code). The other way to have the code is “Source Code written only”, a process where you don’t compile and anyone is able to read line by line the code.

This example might seem weird, but maybe will clear things out:

Binary Code (Supported by Veracode):

11110001011000 0111 0001 01 110 00010 010 11110001011000 0111 0001 01 110 00010 010 11110001011000 0111 0001 01 110 00010 010

11110001011000 0111 0001 01 110 00010 010 11110001011000 0111 0001 01 110 00010 010 11110001011000 0111 0001 01 110 11110 010

1111000101000 0111 0001 01 110 00010 010 11110001011000 0111 0001 01 110 00010 010 11110001011000 0111 0001 01 110 00010 0101

Source Code:

public class HelloWorld {

public static void main(String[] args) {

// Prints "Hello, World" to the terminal window.

System.out.println("Hello, World");

}

}

When tracking source code vulnerabilities, sometimes it’s possible that the tool loses the path of the issues when the source code has been modified significantly.

Customer Service:

Customer and platform support is one of the best in the field. The experts are skilled and can have as many meetings and researches as needed.

Technical Support:

The Veracode support team excels with help of their experts capable to solve most of the situations, and taking advantage of the variety of their members to delegate issues and problems to solve.

I use a portfolio of tools for security consulting, but Veracode is the main app I rely on because customers are happy to be able to track the status of each individual issue or vulnerability.

Initial setup is very complex, requiring security knowledge, but it’s easy when experts guide you through all the process. Even after months of use, the Veracode experts are always there to help you on both the workflow and the dashboard tool.

Veracode is a very complete tool; that drives you to invite customers, the apps team, developers and even the product and marketing team to navigate through the whole application. Its complexity makes it quite expensive, but it’s all worth it, with all the engineering in the background.

Before choosing this product, many tools were tested, such as HPE WebInspect, AppScan, Checkmarx, etc. Those tools are good, and do their jobs really well. Veracode has many pros that involve a human touch, which is something a consulting firm, customers and big companies want from the information technology field.

I recommend exhausting all resources and gaining knowledge from different security tools, before making a decision. Veracode is not cheap, but it is a tool capable of giving dynamic, static and even manual scan results in one platform. Veracode is one of very few options out there, and the very best.

Our primary use case for Veracode is to secure our software development lifecycle. It's deployed in a couple of countries and connected to multiple applications. It's used by five development teams, each of which has a different focus, such as digital channels, CRM, ERP, backend deployment, and billing. We also have a team that coordinates all of the efforts of the secure development policies. That team sets the guidelines and policies. The entire development team has about 20-30 people. 

Veracode has sped up the development cycle, helping us bring products to the market faster. I work at an IT services company with hundreds of customers who have various needs for different kinds of tools. That doesn't mean we use Veracode for all our customers, but for certain customers, it's critical because the solution reduces the amount of time needed to prevent and detect issues. Bringing secure applications into production is essential. 

We can't just rely on our development teams to make, test, and manually review the code. We need powerful tools that provide a strong framework for detecting vulnerabilities and scanning application components. Penetration testing is the most important because hackers break into the application and access the information. 

Dynamic analysis is also crucial for web applications, which can be risky. Veracode can dynamically detect vulnerabilities and block traffic. It is sometimes hard to differentiate real users from hackers. Dynamic analysis must be implemented with a user-sensitive perspective. 

I work in Latin America, and there are regulations on information security and the use of customer information. The most vital areas are things like health information and finance. You can face penalties for failing to protect customer information, so it's critical for us to secure our code during development. Any vulnerable code or application component can risk disclosing customer information from customers and allowing an outsider to penetrate the systems or databases.

Veracode offers visibility throughout the entire development lifecycle. SecOps is an essential framework inside the organization currently because we need to deliver applications to market faster while improving code quality. It's crucial to be careful when using code generated by community sources. We need to test the final applications and also the components and packages in any code repository we use. 

We're deploying complex pipelines and utilizing CI/CD. For example, Veracode is important when connecting management tools, code repositories, and various cloud components. Having that integration and capacity to connect to various tools in the DevOps framework is vital for the DevOps team. Every business must decide its risk tolerance and set a threshold of vulnerability permissions in the application to detect. It's really powerful if you can configure the threshold correctly. 

Developer confidence depends on their capacity to understand, and Veracode has to detect vulnerabilities and provide suggestions for correcting them. Sometimes it's an upgrade; sometimes not. It also provides different kinds of information to the developers. 

Veracode has had an enormous impact on our ability to detect flaws. It's risky if we don't have the capacity to detect vulnerabilities in the earliest stage of development before the applications go into production. It's also an important time-saving tool. It reduces the time spent manually addressing vulnerabilities by about 20-30 percent. 

I like Veracode's static analysis. It was one of the core development tools when I worked with a telecommunication company where we were delivering new features for various applications and purposes each week, such as CRM, data channels, compliance, traffic data, etc. 

Most of the time, the key thing was to ensure the security of digital channels and reduce the risk of any breach that could cause a security issue. It's critical to maintain the security of sensitive information transferred from our customers to the sales staff. Keeping that data secure is important for the customer relationship and also for compliance and recurring sales.

I rate Veracode 10 out of 10 for its ability to prevent vulnerable code from entering production. It has a lot of useful and intuitive features. In previous settings, static analysis was one of the primary use cases, but dynamic analysis is also helpful. Veracode is highly valuable because one vulnerability could result in service downtime or worse: a leak of customer information. 

The investment in the tool is justified because we can detect and prevent vulnerabilities much earlier in the process. Software composition analysis is also vital when we use open-source middleware or backend components for business-critical functions like bringing information from one source to another or connecting one application to another. 

Veracode can improve the price model and how they bill the final offer to customers. It's based on the amount of traffic. For example, you can buy 1 gigabyte distributed across various applications, and each one can consume part of the whole allotment of traffic data. 

You pay for all of the time that the tool is running, not for the number of scans. There are specific rules governing the amount of traffic applications can consume from the allotment you have. I would like the pricing to be more personalized. For example, some companies don't have a large budget for this kind of tool, whereas a large enterprise can acquire this kind of solution and pay for it. However, I'm an IT consultant working with various types of customers in different industries, including finance, insurance, and telecommunications.

I started using Veracode at least three years ago.

Veracode is a highly stable platform. I haven't experienced any service disruption, and the performance is solid. 

I've used Veracode in a telecommunication company with a huge environment and more than a hundred applications. I don't have experience with smaller-scale use cases, but I know the cloud is quite scalable. 

I rate Veracode support nine out of 10. We get support from the resellers and direct support from Veracode analysts. We call the support team or the architect when there is a serious technical isssue. 

Positive

I haven't used a commercial tool like Veracode before. It depends on where I'm working, but the most common tool we use is an open-source solution called SonarQube. 

Veracode is straightforward to deploy. It's not hard to connect it, and we had support from a local vendor to help us integrate it into our dev lifecycle. It required only one person from my team. 

We had assistance from our local reseller, and the experience was great because we had a direct connection from the partner to the brand. We have a local team member who was in charge of the resell process. 

We calculate the return on investment primarily based on the risk. We calculate the ROI annually, but it's not very detailed. We factor in the risks associated with the loss of customer information loss, penalties for noncompliance, etc. In the worst-case scenario, we estimate that could potentially lose up to $1 million annually. 

The licensing model could be more flexible, and Veracode could be more accessible to smaller enterprises. We obtained Veracode through a consultancy. Veracode sets the price through consultation with our reseller, but I have yet to get a direct quotation without any other reseller in the middle. If you are worried about the price, I would say that you could request more information and do a trial, then see if you can negotiate an offer. 

We decided to use Veracode without comparing it to any other kind of solution, we had a kind of consultancy from one of the companies, the IT services company that was one of our partners, and they worked close to us, and we selected Barracuda the tool that we needed.

I rate Veracode nine out of 10. It's an excellent solution for securing the development lifecycle. I recommend starting with a trial and getting in touch with the account team to explore all of the different features. 

We use Veracode to scan our code before release. The scan ensures our projects will have no issues. We only use Veracode for customer-facing and revenue-generating web applications. 

Application security is paramount. It's essential to check any extended web applications we are using. Veracode enables us to check integrated segments that are based on other websites. We can also perform a light scan on some of the smaller customer-facing web applications.  

Veracode provides visibility into application status, but we do not use it during every development phase. We only use Veracode before the code goes into production. It improves our DevSecOps. We use an agile process, so we have less time to fix issues when we discover vulnerabilities. Veracode helps us fix many critical issues but only if it is compatible with all the technologies. 

It helps if the products you use are from preferred vendors like Salesforce. If your tools are incompatible, you might get some false positives. You can still use products that aren't from preferred vendors, but if you use tools like Salesforce, etc., it will automatically recognize and ignore these issues. It cuts down on the time we spend investigating. 

The overall false positive rate is good. It is about 70-80 percent accurate. In some stages, we have to let issues go and defer the fix until another time. We might wait to release a patch later. 

Veracode adds value when we run it in an integrated environment where all the core systems are similar to our production environment. It adds value to the developers in the final stages of testing or the QA environment. We can use it for functional or system testing. That is where it adds value for the developers by enabling them to fix many of the issues. Nothing flows into the queue box. We can say it has been effective if it's up to 70 percent, but if we consider the environmental constraints, it's around 30 to 40 percent. 

It adds daily value by improving the security posture of our customer-facing web applications. A developer could make a mistake not caught in the QA process. 

I like Veracode's ease of integration with various cloud platforms and tools. 

I'm also a cybersecurity expert. In addition to vulnerabilities, I am looking at this from a holistic cybersecurity perspective. Bringing Veracode in line with the latest vulnerabilities would add value. We see APT issues often, and some processes could be left vulnerable if our tool cannot cope with them. It would improve Veracode to bring it up to date with current threats that the cybersecurity industry highlights.

I would also like Veracode to offer training and certifications that users can do on their own time. It would encourage people to build skills that they could reuse across the board. Many other software publishers offer this. It helps build a user base and generate interest. Training is an excellent way to market your product. It would also be helpful to build a user community online to create a knowledge base of expert users who can answer questions and advise Veracode on ways to improve the product.

We been using Veracode for five or six years. 

SonarQube is another solution we've used. SonarQube has some limitations, and we feel like it isn't keeping pace with the technology landscape. We had to reconsider our tool, which led us to adopt Veracode.

We had some challenges initially, but I think that was due to a lack of training. After deployment, Veracode doesn't require much maintenance. 

Veracode's price is reasonable because of the value it offers. If you don't catch bad code before it goes into production, you have to spend money to rework it, and a security failure in your product can cost your company. We think it's worth what we pay.

It would be nice if Veracode were bundled with some preferred vendors like Salesforce and offered at a discount.

I rate Veracode a nine out of ten.