Veracode Reviews

We are a relatively young company that started about a decade ago. The company adopted Veracode about five years ago because it's a market leader in that segment. 

Veracode checks for security flaws in our code. We provide software for companies in the financial sector, so it's critical that we use Veracode. There are some lesser-known competitors, but Veracode is the biggest player in security software. In a way, it's good marketing to use Veracode.

We are running it locally, but we plan to move to the cloud in the next few months. We're a small company with 20 employees. Our development team deals primarily with it, and some other support guys are involved occasionally. 

We have been using Veracode for several years. It has become a crucial tool for preventing security flaws in our applications. The quality of our software has improved significantly since we started using Veracode. We have a software development shop and also provide solutions for other companies. It's critical to have our software checked by Veracode.

Our code must be free of security flaws, especially high-level ones. Our software must be above a minimum threshold. Veracode has enabled us to see the quality of our code security. We need at least an 80 percent score. We are sure that our code is high-quality and that our clients won't see security vulnerabilities in the code when we ship it to them.

Veracode covers every phase of development. We mainly use it for static analysis and recently started using it for software composition analysis.

The false positive rate is around 10 percent, which is expected in automated software. Veracode's competitors have false positives, but we're happy with Veracode's ability to mitigate the problem. We check every false positive and clear it. It does not affect our competence at all. We realize it will happen from time to time. The effect of false positives is negligible. We don't have a problem with that. We are experienced enough now to see what is or isn't. 

I like Veracode's integration with our CI/CD. It automatically scans our code when we do the build. It can also detect any security flaws in our third-party libraries. Veracode is good at pinpointing the sections of code that have vulnerabilities. 

We are testing Veracode's software composition analysis, but we're having trouble integrating it with SVN. It works out of the box when you use Git but doesn't work as well with other tools like SVN. It's more geared toward Git.

I have been using Veracode for two years in my current role.

Veracode's stability is decent. That was only one instance where it identified a security flaw but didn't detect it afterward. Otherwise, it's mostly consistent.

We use it on a couple of different projects, and we plan to move to the cloud. They have a cloud option that makes it scalable.

I rate Veracode support nine out of 10 in its current state, but given our problems in the past, I might rate it seven overall. We had some problems when I joined. They put in a lot of effort, but it took them a couple of months to get it right. They did their best to resolve it, so I appreciate that, but we weren't happy it took so long.

Positive

We don't see a direct return from using Veracode, but it ensures we deliver a product without security faults. It has also reduced our development costs, but it's difficult to quantify that. By having the code tested before we ship it to clients, we ensure our clients don't have issues with the security of our software. 

The price is reasonable and affordable for a small company like ours. Veracode provides a lot of features. You can purchase some additional tools. For example, we are currently testing software composition analysis. We discussed adding that to our standard package.  

I rate Veracode eight out of 10. I recommend first testing it on your code to see if it's appropriate. You need to see how long it takes to scan the code. 

Veracode is used to perform the dynamic analysis of our applications for security flaws. We have applications that are being used by millions of users. We needed a security analysis tool to secure the application. Veracode is helping us with the analysis of all the security flaws and discrepancies. 

It is software-as-a-service. It is in the cloud.

Earlier, we did not have any such dedicated tool for the security analysis of our application. It was quite challenging for us when on a day-to-day basis, it was accessed by the users because there could be security flaws making it prone to any third-party attacks, malware, unauthenticated access, etc. Veracode gives us a complete scanning report, which is very useful. It is informative and helpful to understand the things that we need to focus on.

Within three months of its implementation, we realized that it is a very powerful solution, and it works perfectly for all the use cases of our applications. Scanning through the application code is a very big task, and Veracode does that perfectly. It enhances the development and the coding work and is helpful for the development team and the product team.

Now, there is peace of mind. All the static and dynamic scans are done by Veracode, and we are making sure that there are no security flaws in the application. The automation of the analysis is helpful and saves our time and cost.

It is fully automated. I love the automation feature.

The findings of their security analysis are wonderful. You can easily go through all the analyses done by Veracode. You can see what are the flaws and what could be the best possible resolution to minimize those flaws in the application. When an application is being used by the public, security is a challenge. Veracode helps us to analyze all the security flaws, discrepancies, and vulnerabilities inside the application. It provides good reports.

The UI could be better. Also, there are some scenarios where there is no security flaw, but the report indicates that there is a security flaw. The report is not perfectly accurate. So, the accuracy of the scanning reports needs improvement.

It currently takes too much time to scan all the vulnerabilities in the applications and code. The time should be reduced. The scanning engine in Veracode needs some improvement in terms of performance and efficiency.

It has been two years.

The product is stable. There is no issue with that. It mostly works as expected. Sometimes, scanning analysis is not up to the mark because of some bugs or unstable releases, but 90% to 95% of the time, it works fine.

Its scalability is good. It is cloud-based. Whenever the application load increases, it is scaled automatically without an issue. We have plans to increase its usage in our future application process.

There are 35 to 50 users based in diverse geographical locations. We have Java, Python, and .NET applications running in the cloud. We also have some in-house cloud-based applications running on the AWS platform.

Their technical support people are good, but sometimes, they don't have complete knowledge of the software. So, they need some time to resolve the queries because they have to confirm or do knowledge sharing with their superior team members. I would rate them a 9 out of 10.

Positive

We didn't use any other solution previously. All our security scans were run manually by a third party, which cost a lot of money and time. We had to place a request to them, and then they used to schedule that.

I was involved in negotiating with the vendor and implementing the right solution. I worked with the team members and the end-users of the solution.

Its deployment is straightforward. They have to once go through the complete application analysis and review. They need to sit with the product development and the engineering team to go through the requirements, development environment, and IDE environment of an application. Once done, it is perfectly implemented in one go.

It took one month to have initial discussions, do the requirement analysis, and finalize the requirements. It took 15 days to get it implemented. So, it took 30 to 45 days.

There were team members from the engineering, product, and consulting for procurement, implementation, and final roll-out of the solution.

Its maintenance is a part of the implementation pricing plan and subscription. They are providing the maintenance and upgrade of the system. Because it is cloud-based, it is not managed by us. Veracode currently manages all the upgrades and updates. For any operational issues or additional change management, there is an additional cost.

There are 10 to 15 people in our networking infrastructure and the cloud team who are responsible for handling all the issues and the requirements for the developers. I'm also responsible for that. We are coordinating with their sales team and the account management team for any new requests or ongoing issues.

We have definitely seen an ROI. It helps the developers and testers to go through all the security flaws in their code or application repository in a very unique way. There are no chances of any security flaws or issues in the application. It helps the organization and the team. So, ultimately, it provides a positive return on investment.

It is quite good. If you adapt it for the whole organization, it is quite affordable. The pricing plans are good as compared to the other competitors, and any small, medium, or big company can easily adopt Veracode. Its cost includes deployment, training, and support for one year.

Security is a major concern for any organization. The developers do hard work in developing code, but if that code has some security flaws, it would be a challenge for any organization.

At the time, we evaluated GitLab, SonarQube, and Micro Focus, but we didn't go for them because of various reasons, such as price concerns, pricing plans, and the availability of the solutions. 

Every organization should use some kind of security-analysis solution for making their product stable, reducing time and effort, and saving costs.

I would fully recommend this solution to prospective buyers if they have a requirement for an analysis of the security flaws in their application and code. They will find it very useful if they can manage their budget for implementing this solution in the organization. It works perfectly well, and it will meet their expectations.

Overall, I would rate it a 9 out of 10. No solution is perfect, and a few improvements are always required in any solution.

We use it for static scans. It is mandatory in our company for every sort of project.

Veracode provides the organization an understanding of security bugs and security holes in our software, finding out if the software is production-ready. It is used as gate management, so we can have a fast understanding if the software is suitable for deployment and production.

My job is to help projects by getting the data integrated in Veracode. I don't own the code or develop code. In this area, I am a little bit like an integration specialist.

We use Azure and AWS, though AWS is relatively fresh as we are now just starting to define guidelines and how the architecture will look. Eventually, within a half year to a year, we would like to have deployments there. I am not sure if dynamic scanning is possible in AWS Cloud. If so, that would be just great.

The possibility to integrate Azure is very valuable because you can have every build integrated into the content integration pipeline. So, you can have every build scanned and determine when a new bug was introduced. Thus, you can keep great track of your code's security.

You can easily integrate it with Azure DevOps. This is an added value because we work with Azure DevOps. Veracode is natively supported and we don't have to work with APIs.

Third-party library scanning would be very useful to have. When I was researching this a year ago, there was not a third-party library scan available. This would be a nice feature to have because we are now running through some assessments and finding out which tool can do it since this information needs to be captured. Since Veracode is a security solution, this should be related.

I would recommend that they keep working on the integrations. For Azure DevOps, the integration is great. I am not sure what the integration possibilities are for the Google platform or AWS, but I would suggest every other platform should have this easy and great integration. It takes a lot of time for companies, so this feature is a big plus.

I have been using it for about three years.

There have been no issues at all. There has been no downtime registered.

I worked with the technical support to integrate some things. One of our private cloud providers only had old routers. It was possible only to open network connections to IP addresses, while Veracode only provided the URL in their guide. So, I asked the technical support if it was possible to provide some fixed URLs that we could give our provider since it is unfortunately against the concept of the cloud to provide the IP addresses that work just for some time. The technical support's response was within a day, and it was prompt and clear. Also, all their reasoning made sense so the support was very good. I would rate the technical support as 10 out of 10.

Positive

We also use SonarCloud, which is a code quality tool. We use both of them because both these platforms are good in some areas. While the Veracode is very good at finding security-related issues, the SonarQube Sonar suite is very good at determining code quality. Also, when I was looking into the topic, the SonarQube team answered that there is no point for them to go further into code security since there are already great competitors who have years of experience and development behind them, specifically mentioning Veracode as masters in their field. That is the reason why we use both solutions: We benefit from using them both. These solutions compliment each other.

I evaluated WhiteSource Bolt specifically for third-party library scanning, but I did not have a lot of time to create a proper PoC. I had a call with WhiteSource and told them that I would like to do a PoC, but I was not very satisfied with their support. It was like, "Just try the free solution then contact us again." However, the free solution didn't provide me enough things to make a decision. So, I just put it off until sometime possibly in the future. If Veracode offered third-party scanning, then we wouldn't need WhiteSource Bolt at all.

If you have Azure DevOps and would like to understand your code and how secure it is, then there are not a lot of better options. Also, there are not many choices in this area at the moment.

Once your code is scanned by the static scan of Veracode, you get some evaluation scores based on some criteria. For the management, when it is above a certain number, it is fine, but when it is built below, then it is no-go for production. Even though there is a possibility to create a sandbox environment for projects, they don't get it. That is understandable to me. I try to explain to them that there are no issues if you are working in a development environment and you get difficult scans. It is fine then because you can create a sandbox environment, which will not screw up or make the production releases worse because it is in a separate bucket.

We are happy using the solution. I would rate it as nine out of 10.

Veracode has both static application security testing as well as dynamic application security testing, also called Dynamic Analysis. Our primary use case was on the static analysis side, not on the dynamic, because we have an automated tool in the dynamic analysis scope. So our primary use was static analysis security testing.

Application security improved a lot because the teams got a list of all vulnerabilities, they analyzed them, and then they incorporated the fixes. It helped ensure that these kinds of issues would not happen when they wrote code in the future, because when the fix was applied, it was applied to all the vulnerabilities. That means our AppSec improved greatly once we started using Veracode.

It has SAST, DAST, as well as SCA—software composition analysis, which is used for finding vulnerabilities in third-party components. All these are in one tenant. Veracode provides a uniform view that enabled us to see the vulnerabilities of an application holistically. Our primary use case was the SAST. The DAST and SCA were not for our products. It definitely helped reduce risk exposure because, no matter how secure the code you write is, ultimately, you end up using third-party libraries. So finding vulnerabilities in the third-party libraries is also essential and this unified view gave us a holistic security profile of the application, rather than just our code or just the third-party code or only static or only dynamic. All these pieces are combined to give a unified view. It helped give a holistic picture of the security status of the application.

The most valuable feature, from a central tools team perspective, which is the team I am part of, being a DevSecOps person, is that it is SaaS hosted. That makes it very convenient to use. There is no initial time needed to set up an application. Scanning is a matter of minutes. You just log in, create an application profile, associate a security configuration, and that's about it. It takes 10 minutes to start. The lack of initial lead time or initial overhead to get going is the primary advantage. 

Also, because it's SaaS and hosted, we didn't have any infrastructure headache. We didn't have to think about capacity, the load, the scan times, the distribution of teams across various instances. All of this, the elasticity of it, is a major advantage.

There are two aspects to it. One is the infrastructure. The other one is the configuration. There are a lot of SaaS solutions where the infrastructure is taken care of, but the configuration of the application to start scanning takes some time to gain knowledge about it through research and study. That is not the case with Veracode. You don't have any extensive security profiles to consider. It's a two-pronged advantage.

Veracode also reports far fewer false positives with the static scanning. The scanner just goes through the code and analyzes all the security vulnerabilities. A lot of scanning tools in the market give you a lot of false positives. The false positive rate in Veracode is notably less. That was very helpful to the product teams as they could spend most of their time fixing real issues.

Veracode provides guidance for fixing vulnerabilities and that is one of their USPs—unique selling propositions. They provide security consultations, and scheduling a consultation is very easy. Once a scan is completed, anybody who has a Veracode login can just click a button and have a security consultation with Veracode. That is very unique to Veracode. I have not seen this offered in other products. Even if it is offered, it is not as seamless and it takes some time to get security advice. But with Veracode, it's very seamless and easy to make happen.

Along those lines, this guidance enables developers to write secure code from the start. One of the advantages with Veracode is its ability to integrate the scanning with the DevOps pipeline as well as into the IDEs of the developers, like Eclipse or IntelliJ or Visual Studio. This type of guidance helps developers left-shift their secure-coding practices, which really helps in writing far better secured product.

Another unique selling point of Veracode is their eLearning platform, which is available with the cloud-hosted solution. It's integrated into the same URL. Developers log into the Veracode tenant, go through the eLearning Portal, and all the courses are there. The eLearning platform is really good and has helped developers improve their application security knowledge and incorporate it in their coding practices.

One of the things that Veracode follows very clearly is the assignment of a vulnerability to the CWE standard or the OWASP standard. Every vulnerability reported is tied to an open standard. It's not something proprietary to Veracode. But it makes it easy for the engineers and developers to find more information on the particular bug. The adherence to standards helps developers learn more about issues and how to fix them.

We use the Static Analysis Pipeline Scan as part of the CI pipeline in Jenkins or TeamCity or any of the code orchestrators that use scanning as part of the pipeline. There's nothing special about the pipeline scan. It's like our regular Veracode Static Analysis Scan. It's just that if it is part of the pipeline, you are scanning more frequently and finding flaws at an earlier point in time. The time to identify vulnerabilities is quicker.

Veracode with the integrated development environments that the developers use to write code, including Microsoft Visual Studio, Eclipse, IntelliJ IDEA, etc. It also integrates with project and portfolio management tools like JIRA and Rally. That way, once vulnerabilities are reported you can actually track them by exporting them to your project management tools, your Agile tools, or your Kanban boards. The more integrations a scanning tool has, the better it is because everything has to fit into the DevOps or DevSecOps pipeline. The more integrations it has with the continuous integration tools, the IDEs, and the product management tools, the better it is. It affects the adoption. If it is a standalone system the adoption won't be great. The integration helps with adoption because you don't need to scan manually. You set it up in the pipeline once and it just keeps scanning.

When it comes to the speed of the pipeline scan, one of the things we have found with Veracode is that it's very fast with Java-based applications but a bit slow with C/C++ based applications. So we have implemented the pipeline scan only for Java-based applications not for the C/C++ applications.

For C++ based languages, or languages where there is a platform dependency—for example, if I write C language code it is dependent on whether I'm executing that on Windows, or on Linux, or another platform—and with some of these platforms-specific languages, Veracode makes something called debug symbols that are introduced into the code. That gets cumbersome. They could improve that or possibly automate. If Veracode could quickly analyze the code and make file-line flags, that would be great. It is easy to do for Java, Python, and Pearl, but not so easy for C++. So when it comes to the debug symbols, guidance or automation could be improved.

Also, scan completion, as well scanning progress, is not reported accurately. Sometimes the scan says it will complete in two to three hours but it will take four or five hours. That is one of the areas where they can give a more accurate estimate.

I used to work for CA Technologies, which was acquired by Broadcom. Back in 2017, CA Technologies acquired Veracode, and that is when I started administering Veracode. Since it was a CA product, all product teams in various business units within CA were asked to adopt Veracode for their static analysis. My team is the central tools team and had the responsibility of enabling and deploying Veracode for all the product teams. So we used Veracode starting in 2017. I used it both in a DevSecOps lead role and as a Veracode admin and security admin.

It's quite stable because everything is in the cloud. I really don't need to worry about the stability at all or the frequency of the scans. It's all taken care of by the Veracode platform.

It is scalable. We had about 500 applications, out of which 200 were being scanned regularly. It was in the AWS infrastructure and it was quite scalable. The elasticity was all taken care of. We were scanning a huge set of enterprise products.

We had roughly 2,000 Veracode users. Generally they were developers but there were QA people, as well as the program managers because they needed to add the vulnerabilities and see the health of the product. We also had security champions to advise the product teams on their scanning and vulnerabilities. In addition, general security also accessed it to provide consultation on how to fix vulnerabilities. We were able to give privileges and access control based on each individual.

We stopped our use of Veracode on November 1st, 2020, about 30 days ago. But when we were using it for the three-and-a-half years, the usage was very extensive.

The customer support was two-pronged. One was the security consultation and that was top-notch. The security support helped teams understandable the vulnerabilities 

The regular customer support for issues was quite prompt and had good SLA turnarounds.

Veracode is one of the more expensive solutions in the market, but it is worth the expense because of the eLearning and the security consultations; everything is included in the license. It's a good return on investment because it improves the application security for all the different types of scans.

It reduced the cost of AppSec for our organization because otherwise we would have had to go through multiple vendors for application security. With Veracode, one solution fit all our needs. It reduced the AppSec cost by reducing the numbers of vendors. Typically, you would have different products for different types of scanning. For static analysis you might use one tool, and for dynamic another, and for third-party software composition analysis you might use another. And after using all those tools, you might still have to consult with another vendor. Veracode combines all this into a single solution.

I would estimate that it saved us $500,000 a year.

We have been using the Synopsys tool from Coverity for our static analysis.

Veracode is superior in terms of infrastructure because it is cloud-hosted. We don't have that with Coverity on-premise. We need to take care of capacity planning, infrastructure procurement. Also, with Coverity we have to invest some time to enable various checkers. The security profile configuration takes time compared to Veracode.

Coverity, on the other hand, is more robust and it works with the C programming languages.

We are quite new to security systems. We have not adopted Veracode at the enterprise level. We are using the GitHub Advanced Security system. We were looking for static code analysis or software configuration analysis tools in the market. That is when we explored Veracode.

We want to centralize our security systems so that any repository that developers are using or creating in our organization follows the same set of standards. We want to have all the security checks and all the static code analysis done at the same level and with one client.

We have had challenges with security because developers come from different organizations and different backgrounds. They have different ways of coding. Based on their experience, they write the code, but there is a very high chance of having vulnerabilities in their code. The PR reviews used to take a lot of time for the reviewer. By implementing such a solution at the enterprise level, we assume that we will save a lot of time for developers and code reviewers because everything will be done by the tool. It will impact us a lot.

Veracode is quite good. It checks the security vulnerabilities in our packages. It discovers them very nicely, but it is not a tool for improving code quality. It does not provide very good static code analysis.

Veracode's policy reporting is fine for ensuring compliance with industry standards and regulations.

Veracode provides visibility into application status at every phase of development.

Veracode saves our developers' time. They are not doing manual PR reviews. It has saved about 20% of the time because we are still in the adoption phase.

We have a lot of confidential data of clients. We do not want our application to be exposed outside. We have configured a code quality gate, so before production itself, it blocks the PR deployment and allows it once all the security checks are passed.

Veracode is one of the tools that helps to verify external dependencies. Veracode helps a lot there.

One thing that I like about Veracode is that it is quite a good tool for dynamic application testing. It is a little bit better than DeepSource and SonarQube in terms of software composition analysis and dynamic application testing. 

When I was looking into it, my initial impression was that it has a good UI as compared to other competitors.

A negative issue I found is that it has a subscription-based model. 

If Veracode can provide static analysis in terms of how we can improve the code quality, it will be quite a good feature.

I have been using Veracode for 2 years.

It is quite stable.

We have not deployed it on our on-premise system, so it is quite scalable. There are no issues with that. I would rate it a 6 out of 10 for scalability.

We have not used their support extensively, but when we were choosing Veracode, I felt that they have a very good support system. The support they provided was good.

Neutral

I also work with SonarQube. I did not switch from SonarQube to Veracode. We are using a combination of both because SonarQube provides good code quality, but Veracode does not. Veracode provides very good dynamic application testing and software configuration analysis, but SonarQube does not. A combination of both is meeting our needs.

Configuring SonarQube at the cloud level based on our requirements is quite challenging. The support is based on the community. It is not something we consider as an enterprise-level tool, whereas this is not the case with Veracode. These things are better in Veracode.

I was not involved in its deployment. I am in the quality team. The DevSecOps team takes care of its deployment. That team has 8 to 10 people.

It does not require any maintenance. Everything is done automatically by the vendor.

Everything was done in-house.

It is too early for that, but Veracode will save us development effort and time. That will be the return on investment for us in the future. We will be able to measure its overall cost-effectiveness by comparing what we are paying for the service and how much developer time it is saving. 

We are still considering it at the enterprise level. It has a subscription-based model. We find its price a little high based on the features it provides. In addition to the standard licensing costs, there are no additional costs.

To someone who is looking at Veracode but is concerned about the price, I would recommend exploring it themselves. They might not need the same features that we need. They might be looking at some other aspects of security. I would recommend exploring it and doing a price evaluation based on their needs. 

We also explored DeepSource for some time, but we did not go for it. The functionality that DeepSource provides is somewhere between Veracode and SonarQube. Veracode was a little bit better, and that is why we went for Veracode.

We do not use the free access to Veracode's Application Security Consulting team, but we are planning to use it. We have not yet used the Veracode Fix feature that produces AI-generated fixes. It is a new feature.

The fact that Veracode does not scan source code, only binary code, does not concern us. We are using multiple tools. Veracode is one of them.

Overall, I would rate Veracode a 7 out of 10. We are still adopting Veracode. We have not gone through all the features that Veracode provides. Its rating would probably increase after a few months of use. I would recommend Veracode to others.

I used Veracode in my previous company. My role was to assist the team in identifying the vulnerabilities in the reports. I identified those and diverted them. The software team was responsible for taking appropriate actions to fix those.

We used Veracode in our environment to have account verifications or transaction confirmations. Apart from that, we had event registration as well as membership confirmation.

Veracode provides visibility into application status at every phase of development. My role was to analyze the vulnerabilities and pass them on to the software team. The severity of a risk was provided by us, and the software team was responsible for mitigating that. It helped us a lot in mitigating the vulnerabilities. We were able to proactively react to anything malicious.

It helped with early vulnerability detection and automated security testing. These were two things for which I usually used to use Veracode.

The static analysis and the dynamic testing methodologies for security vulnerabilities helped us in our development process. It allowed our developers to address issues before they became complex or expensive to fix. That was one of the things that helped us a lot.

Veracode helped us with the Log4j vulnerability. At that time, we relied completely on Veracode.

Veracode helped our developers save time. Proactively fixing the vulnerabilities saved a lot of time. It saved 50% to 60% of the time. Fixing them after the sprint is over takes more resources and time and also costs us. Veracode saved time as well as the cost.

Veracode helped us with the shift-left security strategy, but we did not rely much on Veracode for that because we already had something for that. Veracode was good enough overall.

The scanning is most valuable. The scans given by Veracode are one of the key features that I like.

The integration with DevOps pipelines is seamless. 

The scans were sometimes not accurate in version 2022. There were some false positives in the vulnerability reports. We used to get false positives, and we were responsible for checking all of the alerts and determining whether they were true positives or false positives. They might have already improved it. If they have not, they can look into how to mitigate false positives.

I have used Veracode for almost two years. 

It is stable.

It is scalable. The agents were deployed on about 2,000 machines. For administration, we had a SOC team. It was filler work for them, but we had a team of 13 people.

Dennis from Veracode helped us right from the deployment. If there was any critical task, he used to help us with that. We hardly had to reach out to their support for any issues.

I have used different solutions. I have used Darktrace. I have used CrowdStrike and Carbon Black. In my current company, I am using CrowdStrike.

When I was using Veracode, each agent needed to be deployed on each machine. I do not know what they are using now. CrowdStrike is a single platform with a single agent. You can deploy it on all the machines. That is one of the advantages. Moreover, I have become used to the GUI of CrowdStrike over the last year or so. I am more comfortable with CrowdStrike, but it depends on person to person. I would rate Veracode an eight and CrowdStrike a nine out of ten. I am a bit biased toward CrowdStrike because I am currently using it in my organization. I am not using Veracode here.

I was involved in its deployment. It was super easy. The support that was provided by them was fabulous.

There was a delay from our end. It took us almost 90 days to deploy it, which included approvals and other things.

We had a consultant from Veracode. His name was Dennis. We were satisfied with his job. 

I used it for two years in my last organization, and we saved a lot of costs. It was not related to the product; it was related to the risks that we used to get. On the technology side, it surely saved a lot.

They keep on working on their product. They keep on upgrading that. The threat landscape keeps on evolving, and there are new threats every day. The Veracode team helped us in mitigating and remediating them and guiding us with those particular threats. I would surely recommend Veracode. I even tried to recommend it over here, but I am not one responsible person for that decision over here.

They have recently introduced a feature called "Veracode Fix" that produces AI-generated fixes. I read about it somewhere. It does vulnerability identification and prioritization and some behavioral analysis. It does dynamic analysis of any malware or any abnormal or malicious behavior. It is evolving. One more thing that I read was pattern recognition. The AI algorithm that has been provided recognizes patterns. It can assist in recognizing patterns and trends in security data.

It has policy reporting for ensuring compliance with industry standards and regulations, but we did not use that.

To those who want to use Veracode or any similar solution, I would advise being aware of their environment and security posture and seeing where it fits into their security posture. If they proactively work on the alerts provided by Veracode, they will surely save a lot of money, time, and resources. I would suggest working proactively on the alerts given by Veracode.

Overall, I would rate Veracode an eight out of ten.

Previously, finding security issues in our complex healthcare software was a time-consuming process. Manually reviewing all logs took half our time. However, Veracode has revolutionized our workflow.

With Veracode's automated solution, we now receive daily reports highlighting security vulnerabilities. This allows us to address issues promptly, significantly reducing the previous two to three-week investigation period.

Veracode also eliminates the need for manual testing, freeing up our team for other tasks. Its user-friendly interface provides comprehensive scans, and detailed reports, and even pinpoints specific lines of code causing issues.

This shift-left approach has greatly improved our development process, resulting in fewer customer complaints. Proactive vulnerability detection and efficient issue resolution have significantly enhanced our team's productivity.

Veracode does a great job preventing vulnerable code from going into production. For enterprise-level companies, saving time is paramount. Previously, manual testing took days and still didn't uncover as many issues as Veracode now identifies. Despite having a skilled testing team, their workload has been reduced by 70 percent thanks to Veracode. This newfound efficiency has revealed vulnerabilities we wouldn't have found otherwise. Veracode excels at showcasing issues and their severity, extending beyond violation errors to encompass potential security risks and logic-related issues. Its user-friendly interface simplifies the process for all users, regardless of their technical expertise. As a developer, I recognize the immense effort behind Veracode's seamless operation. It automates the grunt work, freeing up our developers to focus on other tasks.

The policy reporting for ensuring compliance with industry standards and regulations is good. Veracode covers a vast majority of industry standards and identifies areas within our code that don't comply with those standards, providing remediation suggestions.

Veracode provides comprehensive visibility into application security throughout the entire Software Development Lifecycle. During the coding stage, Veracode scans the entire codebase for vulnerabilities. Additionally, we utilize Veracode's static analysis capabilities for further security assessment. Once the product is published and deployed to the production environment, Veracode analyzes the entire software stack to identify any potential security risks. In short, Veracode plays a vital role in various stages of our software development and production process.

Veracode has significantly improved our speed in fixing software flaws. It has also transformed our approach to addressing issues. Previously, we spent considerable time investigating the root cause of errors in the code. Now, thanks to Veracode, we can devote more of our intellectual resources to directly fixing the system, which ultimately results in a more efficient product for our users.

It has significantly reduced our build time. We automate our builds every day, running them between 3:00 AM and 5:00 AM. Once the build is complete, Veracode scans the entire build and provides a report by 6:00 or 7:00 AM. This allows us to review any new issues in the build by the time we start work at 9:00 AM, enabling us to address them quickly. Previously, this process took several days, but with Veracode, it now takes just a few hours. We now continuously review and fix issues every day, leading to significant time savings compared to our previous weekly review process.

Veracode has significantly enhanced our security posture by improving our security practices and increasing the efficiency of our security team. Additionally, we are now experiencing a decrease in the number of errors reaching production. Previously, our development process involved developers building and deploying code, then sending it to the security team for evaluation and subsequent feedback. This cycle is often repeated multiple times, leading to delays and inefficiencies. However, with the implementation of Veracode Greenlight, developers are now empowered to test their code directly, effectively shifting our first layer of security. This shift has enabled us to deliver even more secure products while simultaneously saving substantial amounts of time.

I would like Veracode to add more language support.

To use the Veracode extensions, we need to create a file in a folder and name it "prevention and filters." It would be more user-friendly if Veracode could automate this process by creating the file automatically when the Greenlight extension is installed. Additionally, a pop-up tool for security could be shown to guide users through the process making it more user-friendly.

I have been using Veracode for six months.

Veracode has been a stable platform for us to date.

Veracode can scale based on the price tier selected. I would rate the scalability of Veracode a nine out of ten.

The Veracode support team is excellent. I had an issue removing an account, so I emailed support. They created a case for me within one minute and sent me an automated email with a registered ticket. Within five to ten minutes, I was contacted by a support representative who quickly understood my problem.

My account had expired on the platform but hadn't been deleted from the backend. The representative understood this right away and provided a solution for a hard delete. He was also very knowledgeable but explained that he needed the administrator's permission to proceed. He suggested I add him to the thread, and everything was resolved smoothly.

Positive

I would rate Veracode a nine out of ten.

Minimal maintenance is required for Veracode.

We are not concerned that Veracode does not scan source code, as we believe scanning binary code is a more advantageous option.

Since security is paramount for applications, utilizing Veracode to identify and remediate vulnerabilities is a wise investment. This approach frees up valuable time and resources, allowing for more efficient progress.

We use it for code analysis to see if there are any vulnerabilities in the code. I'm heading a startup for this, and I have a development team of about 14 people. They upload the codebase to Veracode, run an analysis, and take the results. If there are any vulnerabilities, they fix them.

It reduces security vulnerabilities and increases our security level. It has been helpful in reducing our security debt.

Having a centralized view for our developers and security professionals is very important. If there is anything in the cloud or infrastructure, we need to know proactively. Otherwise, we wouldn't know when there is a security compromise. So, we have to be prepared so that if something happens, we know where to go and stop it. It is not always about fixing and making your code zero percent vulnerable. That doesn't happen generally, but you need to know the areas where something can go wrong. If those areas are your critical systems or critical data security parts, you can act accordingly and quickly.

The centralized view has improved the visibility into the status of our application code. This visibility is very important because we need to know the condition or status of our codebase.

Scanning with the solution has increased our fix rate, but I don't have the metrics. It has also helped to increase the productivity of our security and development teams.

It is a good product for creating secure software. The static code analysis is pretty good and useful. The mitigation recommendations provided by the scanning engine are also pretty good.

From the usability perspective, it is not up to date with the latest trends. It looks very old. Tools such as Datadog, New Relic, or infrastructure security tools, such as AWS Cloud, seem very user-friendly. They are completely web-based, and you can navigate through them pretty quickly, whereas Veracode is very rigid. It is like an old-school enterprise application. It does the job, but they need to invest a little more on the usability front.

From the pricing perspective, it is not very convenient for startup organizations. They should have options to onboard it for the startup ecosystem quickly and affordably.

There should also be strengthening of the developer community.

I have been using this solution for almost a year.

I didn't find any errors. It is available and stable. I didn't have any issues with it.

Its flexibility is very less. It is a very rigid application. Currently, we have six users of this solution in our organization.

I interacted with them once. They were very good. They were very friendly and supportive. I would rate them a seven out of ten.

Neutral

We didn't use a different solution previously. The company started just a year ago. 

For enterprises, Veracode has done a fairly good job, but its pricing is not suitable for startups. The microservice distributed architecture for a startup is very small. I had to do a lot of discussions on the pricing initially. I previously worked in an enterprise organization where I used Veracode, and that's how I got to know about Veracode, but that was a big organization with more than a thousand employees. So, the cost is very different for them because the size of the application is different. Its pricing makes sense there, but when we try to onboard this solution for the startup ecosystem, pricing is not friendly. Because I knew the product and I knew its value, I onboarded it, but I don't think any other startup at our scale will onboard it. 

Its pricing should be based on the size of the application or organization. For a startup organization, they can provide credit-based pricing. They don't need to reduce the price. AWS, Google, and other vendors do the same where they don't reduce the price, but they give credits. I have been in the industry for 15 years, and I have seen that people don't like to change technologies for many reasons. For the first year or the first 18 months, customers can explore the product completely free. If the first year is free and you are onboarded, you would stay with it if it does the job. If the product is doing its job and adding security value, there is no reason to change it in the second year, and you are also ready to pay because, in the first year, you have tested that it is working fine. A company that has used it for the first year would definitely need it in the second year because they keep adding code to the codebase. Another option is that, like Cloudflare, they provide a very slashed rate. Cloudflare onboards everyone at a very cheap price, but when you start exploring the actual use cases, they start adding. 

It is a good product, and you should consider it, but it can be elevated more for startup culture. It should be more pricing-friendly and user-friendly. There should also be strengthening of the developer community.

We are only doing code analysis with it. For manual penetration testing, we have to contact an entity.

It hasn't reduced our scan time. It also hasn't helped our organization with certification and audits. We're a small startup, and at this time, we don't have audits, etc. We might do that later. 

I would rate this product a six out of ten.