Veracode Reviews

We use Veracode mainly for legacy software audits.

The most valuable feature of Veracode is the binary scan feature for auditing, which allows us to audit the software without the source code. Veracode's most valuable feature is the verified vulnerability database, and we can do a full software audit at our company, including all of the systems.

Veracode should provide more flexibility in its pricing and licensing modules so that it could be more affordable for all types of projects and not only for very active mission-critical projects.

With the solution's security audit feature, an enterprise should be able to cover all of its applications with the desktops. Veracode is simply too expensive for that. If you know about the price of a web application, and if you multiply it by 1,000, the return on investment doesn't work. It's okay for one or two projects running very fast, but it doesn't work for all the legacies. So, it's a huge amount of money.

There should be some lighter tool that allows you to do some audit scanned one time. Only ten percent of the applications are actively developed. About 90% of the other applications have no projects or budgets, but we are still vulnerable. It is too much if you buy it for all of that.

I have been using Veracode for three years.

Veracode is a completely stable solution, and we had no problems with its stability. The solution was a bit slow, but it was stable.

We didn’t face any issues with the solution’s scalability.

We know only one person from Veracode, and he supported us when we had issues, and he was able to solve everything.

Positive

We have previously used Checkmarx. Veracode's pricing is cheaper than Checkmarx, and it has some unique features like binary scan. In Hungary, Checkmarx is installed more than Veracode.

The solution’s initial setup was very easy. Only one or two people are needed for the initial setup of the solution.

Veracode is a very expensive product.

Veracode can list a lot of vulnerabilities, but processing all of them is a time- and resource-intensive process. I think Veracode has no innovative features because a lot of other software can do that. In our opinion, innovative features are a commodity with Veracode, but they are doing a good job.

The solution's ability to provide visibility into application status at every phase of development is valuable. It can be faster, but it can also slow down because our backlog may be much longer. There will be a lot of vulnerabilities or false positives that have to be processed. So, it is not black and white, but it is safer. Veracode has helped our developers save time.

Veracode has had a very low impact on our organization’s overall security posture because it is a very expensive product. An enterprise with 1,000 applications uses the solution for one or two applications. Veracode does not need any maintenance because it's cloud-based.

Veracode is very important to our organization’s shift-left security strategy when we have a project with enough sources to provide the license. I use Veracode’s cloud version. The return on investment with Veracode is good for one or two mission-critical projects running in the company. For other things, users should use open-source solutions or much cheaper products like SonarQube that are not as good as Veracode.

The fact that Veracode scans only binary code and doesn't scan source code concerns me sometimes. Sometimes, we have to do some source repository audits. We cannot use Veracode for source repository audits because it scans only binary code. I would recommend Veracode to other users.

Overall, I rate the solution ten out of ten.

We use the solution for identifying bugs before deployment in the software-side cycle process.

It can be integrated with our CL and CDProp pipeline, and it can be used with multiple integrations in our Visual Studio Code editor. That's the main use case.

We've saved a lot of time since using Veracode. We've also been able to cut down on costs since we require a lot of penetration tests for testing our software. Veracode helps us drastically reduce these costs. We've cut our costs down by 40%.

The solution provides us with a feature that we can directly use with static and dynamic analysis. With static analysis, we can use it while the app is not running, and with dynamic analysis, we can scan our application while it is running. It provides efficiency and also saves a lot of time for penetration testing and bug testing.

The capabilities of the analysis of the code base can help us effectively detect potential vulnerabilities. This is the most valuable feature we found. It can be integrated with multiple code editors, and it can also be integrated with various CI/CD pipelines.

The dynamic analytics is efficient. It helps us identify bugs while the app is running. We find that this ability is way better than its competitor.

Our impression of the solution's ability to prevent vulnerable code from going into production is positive. Prior to Veracode, we used to deploy our apps, and it used to be an expensive process to fix the bugs and all the potential vulnerabilities after deployment. Now, we have access to AI. It has AI tools, which have been trained with a lot of data sets. It helps us to detect bugs and fix them.

We use the free access to VeriCloud's application security consulting team. The consulting team has helped us a lot, and we've had positive experiences with the vendors. It is efficient and very fast. It takes less than two or three days, and they always respond positively. They are really fast at solving our problems. It's important for us to have access to an application security consulting team at no extra cost.

We use Veracode's AI-generated fixes. They make fewer errors and are very accurate. We've had a very positive experience. They've saved approximately seven hours of debugging and error finding versus the manual penetration testing process. 

The solution's policy reporting for insurance compliance with industry standards and regulations is very helpful. It's fast as well. The team helps us at every step of the product life cycle. They provide us with very useful visibility into things like static analysis, composition analysis, and manual penetration. It significantly helps us to reduce the time that we have to manually fix the bugs, and it also provides us with an efficient solution for future cases via past analysis through its data algorithm. We've saved six to eight hours compared to manual fixing.

Veracode has had a positive impact on our organization's ability to fix flaws compared to the prior. It has reduced our costs and time, and it has also provided us with multiple security functions. That, and it's made our application a lot more secure. It really helps our devs free up time due to less debugging needed on their part.

The solution has helped us a lot with our overall security posture. Many security features were fixed prior to release, and we've been able to reduce manpower and employee count. We've reduced teams from six or seven people to two or three. 

The integration capabilities with our existing development tools are very good. The integration process was easy. It has stable APIs.

The solution does take a bit more time when we use it for multiple processes. When we use it for a single process, it takes up less time. The cost also goes up when we use it for multiple processes. 

I have been using the solution for six months.

The solution is very stable. We haven't come across any bugs. 

Our security team of three uses the solution. 

It's great for scaling. We can use it on multiple projects which involve multiple security flows.

Technical support has been very fast and efficient. The team helps us at every phase of the development cycle. 

Positive

We did not use a different solution. Previously, we relied on manual testing. 

We deployed the solution in about three months. We had a team of eight working on the implementation. During the process, I was in charge of, IT was in charge of security, and the AI algorithm.

We don't require any maintenance.

Even after six months, we've seen an ROI. In terms of resources, it's great for cost-cutting. It also generally cuts costs by 40%.

The pricing is moderate for particular processes. However, if we take an entire process in general, it can be costly. It's more economical to use it for single purposes instead of generalizing processes. 

Thanks to its algorithm, Veracode is an on-demand service that can be very cost-effective. With so many features, we no longer require many people to test.  

If they are worried about pricing, people should try out their demo feature, which is available online. That way, they can demo and evaluate how it would work for them. If it works for their team and product, they may find it can optimize their processes. Of course, it depends on the use case. 

I'd advise colleagues considering Veracode to evaluate the specific requirements for their application and do an in-depth analysis. I would recommend it as a product.

I'd rate the solution ten out of ten. 

I use Veracode to prevent vulnerable code from going into my application.

The major improvement is that we have secure platforms, free from vulnerable code, so I'm very pleased. It's definitely a helpful solution. It helps me to minimize risks. We know that things are very secure and cannot be hacked because we have taken out the vulnerable code. Overall, the effect is that we are very secure and very reliable for our clients.

And Veracode has improved efficiency and the quality of work in our organization. It gives our developers the confidence to develop faster, saving a lot of time. It saves them around 30 percent of their time.

And the false positive rate is very impressive. It saves us a lot of time, about 20 percent, on tuning policies.

We also know that we are compliant in our industry.

The static scanning and the analytics are ideal for me. The static analysis gives you deep insights into problems.

And creating a report is easy.

They need to have a plug-in, a better integration with the development environment. 

I have three years of experience with Veracode.

It is a stable product.

It is scalable enough.

The setup is very simple. I deployed it alone and it took me five hours.

And it doesn't require any maintenance.

I have seen a return on investment of about 50 percent. It has reduced the number of DevOps that we need, saving us about $800 per month.

The pricing is fair. You get a lot out of the product. If you're concerned about the pricing, I will show you how it is cheap.

I would recommend using Veracode to help you understand your software and remove vulnerable code.

Veracode is a DAST solution that we use for automated security scans of our APIs and front end. We perform daily scans of our applications so we can act on the results quickly instead of routine security audits that we might do yearly or quarterly. It's a complement to the standard penetration test suite.

Veracode helps us improve our overall security and build trust with our customers. For example, some of our customers have strict security requirements, and they need us to use more products. It helps our business by building confidence in our products' security. Veracode improves our sales and helps us secure contracts because we can demonstrate what we are doing to the clients. 

We can use it in our dev environment to detect issues early before they get into production. It saves time equivalent to one full-time security engineer. We have around 60 people on the team, but we don't need a security engineer. Our regular engineers can fix the issues themselves based on Veracode's report. 

I like Veracode's ease of integration and onboarding. You can quickly and easily get started with a new project or application. That's one area where Veracode shines relative to other tools we've evaluated. Other tools need more work or an engineer to do the setup. With Veracode, you can do the onboarding in a few steps quickly. 

Another beneficial feature is Veracode's reporting. The report not only outlines the security issues in detail but also offers some solutions. Even if one of our backend engineers isn't specialized in security, they can still fix the issue solely based on the suggestions in the report. 

When Veracode updates the pool of tests and security checks, it could be a little more transparent about what it is releasing. It's not clear what it's adding. They do thousands of checks, and when they add more, there aren't many details about what the new tests are doing. 

I have used Veracode for 2 years.

I rate Veracode 10 out of 10 for stability.

I rate Veracode support 8 out of 10.

Positive

Veracode is the first tool we purchased specifically for DAST testing. We we use altered secure tools, and we used to do penetration test, but using people. Right? Not not automated.

Deploying Veracode was straightforward. There weren't many steps. We needed to prepare our API specifications and set up our system. 

The price is worth it. You have to consider the cost versus the security Veracode provides. It's also cheaper than the other solutions we considered. 

I rate Veracode 9 out of 10. 

We use Veracode to identify vulnerabilities in code to ensure the security and integration of the apps.

Veracode effectively identifies vulnerabilities within the code. My role is to analyze these vulnerabilities and assign a severity level before forwarding them to the development team. This allows them to address the issues before deployment to production.

Whenever Veracode releases a new feature, we seek the expertise of Veracode's application security consulting team to understand its functionality and how it contributes to code security. The team demonstrates exceptional responsiveness and promptly addresses our questions, eliminating the need for unnecessary back-and-forth communication.

In today's digital world, cybersecurity is more important than ever. Veracode offers a comprehensive suite of features that help developers secure their code through automated scanning. This scanning identifies vulnerabilities and detects malicious code, preventing it from entering production.

Veracode has helped reduce our time to remediate security flaws.

The policy reporting for ensuring compliance with industry standards and regulations has been positive for our organization.

Veracode provides visibility into application status at every phase of development.

It has been instrumental in enhancing our organization's ability to fix flaws while simultaneously reducing our manpower requirements allowing us to focus on other issues.

Veracode has helped our developers save 20 percent of their time.

Implementing Veracode has significantly bolstered our security posture. We can uncover more vulnerabilities and streamline our detection process. We've become more proactive in identifying and addressing security threats. This allows us to focus on building secure applications with confidence.

Veracode has proven to be a solid choice for our organization's shift-left security strategy, compared to other solutions like Darktrace.

To ensure secure software from development to deployment, we leverage Veracode throughout our CI/CD pipeline, enhancing our app security at every stage.

Veracode helps us prevent vulnerable code from entering production, strengthening our third-party application security.

Among Veracode's features, vulnerability scanning stands out for its effectiveness in identifying and remediating security weaknesses, ultimately mitigating threats to our applications. 

The integration capabilities have positively affected our existing development tools when integrating with other cloud solutions. It is easy to integrate and the support team is helpful during the integration process.

Veracode helped improve our compliance posture with our existing solutions.     

The automation of Veracode is great because we no longer have to run manual testing. 

The weekly report logs are great because we can address any vulnerability issues that are detected quickly.

Veracode runs comprehensive scans and links the vulnerable code to the weekly reports identifying what services are affected and forecasting the next steps.

The GUI requires significant simplification, as its current complexity creates a steep learning curve for new users.

I would like Veracode to introduce more sophisticated AI features.  

I have been using Veracode for one year.

I would rate the stability of Veracode nine out of ten.

Veracode supports scaling up whenever we want to keep up with our growing app portfolio.

I would rate the scalability of Veracode eight out of ten.

The experience I had with their technical support has been great.

Positive

I recently changed companies, and my current employer does not use Veracode. However, I have discussed implementing it with them because it offers more mature features compared to other solutions.

The initial deployment took around four months and required five people.

Veracode is affordable for large organizations, but its pricing may be out of reach for small and medium companies.

I would rate Veracode an eight out of ten. Veracode's pricing hinders my overall rating of the solution. 

Veracode was deployed in two regions with 25-plus users.

Veracode requires some maintenance to keep the scanning accurate.

While I highly recommend Veracode, affordability for smaller organizations may be a significant hurdle due to its pricing structure. It's crucial to carefully evaluate their budget constraints and explore alternative solutions if necessary.

We use Veracode for static application security testing (SAST). We also use it for scan or software composition analysis (SCA) testing purposes. We mainly use it to triage the flaws or vulnerabilities that are found in our coding standards so that we can enforce secure coding practices at the developers' end. Because we are a part of the security team, we provide mitigation for the development team on all the SAST vulnerabilities that we come across.

We use it for static application security testing. It helps us with proactivity. Before the product or the application is deployed on the production environment, we have a DevSecOps pipeline that kicks in, and we are able to triage the flaws or vulnerabilities that Veracode shows based on our policies using the Open Web Application Security Project (OWASP). Veracode definitely helps us to go through the vulnerabilities and fix them before they go into production so that bad actors cannot exploit them.

In terms of software composition analysis or SCA, we have come across several libraries and packages that were vulnerable and detected by Veracode. We work on getting the latest updates or packages so that we do not fall back on the security front.

When it comes to visibility, I am not sure whether it is through Veracode, but we have our pipelines built on Azure. We do get to see whenever a scan is kicked off and whether the Veracode check has passed. There is no direct visibility in Veracode apart from the dashboard, which does have information about what type of scan has been performed and whether it is a policy sandbox or just a testing sandbox.

Veracode has been fairly decent for fixing flaws. We have mainly been using it for SAST. For DAST, we have our AppScan from HCL, but Veracode is fairly decent for fixing flaws or trying to be proactive and ensuring all of our applications have been securely developed.

In terms of policies, it works fine. Our policies are mostly predefined. They were defined by our previous team. We look into the policies based on the scan dates.

From a developer's perspective, Veracode's greenlight feature on the IDE is helpful. It helps the developer to be more proactive in secure coding standards. Apart from that, static analysis scanning is definitely one of the top features of Veracode.

Recently, I came across a new workflow, which I had seen in Checkmarx, that shows how a vulnerability flows from the start point to the end point of a function. 

There can be a lot of improvement. It does not have a reporting structure for an OS-based vulnerability report, whereas its peers such as Fortify and Checkmarx have this ability. Checkmarx also provides a better visibility of the code flow.

Veracode is 75% or 80% accurate. At times, we do come across a lot of false-positive cases, but this is an issue with all security tools. Unfortunately, we do not see an option to set the policies because policies are predefined. Overall, when comparing it with its competitors, Checkmarx is better than Veracode in false-positive rate. Veracode's false-positive rate is decent. It is not too good and not too bad, but there is a lot of room for improvement. I personally found Checkmarx to be more accurate than Veracode. This false-positive rate has an effect on the security team because, for a false positive, a developer raises a ticket for us, and our job gets a little bit more hectic because we have more vulnerabilities to create rather than focusing on the positive ones. It is daunting when too many false positives are being reported by the development team for triaging purposes. However, in one of the calls related to their roadmap, I saw a feature where you can go through the code, and it provides you with some mitigation. 

I used Veracode at the beginning of my career from 2017 to 2019. I then switched my job, and my next company used Checkmarx, which is a competitor of Veracode. I changed my job again in 2021 and have been using Veracode in this company. Overall, I have close to three years of experience.

It is pretty stable. I would rate it a nine out of ten in terms of stability.

We are using the SaaS offering, so it is pretty scalable. I would rate it a nine out of ten in terms of scalability. 

Whenever there is a flaw that we cannot understand, we have something called Veracode consultation. We raise a ticket and follow up on the ticket. That is it. They are well-versed. The only challenge I face is that I am based out of Ireland. The time zone is a pretty big issue for us most of the time. Whenever we have a code support call, the majority of the time, it happens late at night. That is one of the reasons why we tend to skip the consultation calls. I would rate their support a nine out of ten.

Positive

I have worked with Checkmarx in another job. I prefer Checkmarx over Veracode. Checkmarx provides a better visibility of the code flow. Veracode also has code flow, but it is in IDE, so you need to manually jump through the code and check the flow. It is easier for someone with experience, but someone new to the security domain will find it tough, especially when there is no clear picture of the workflow to know what is going on. This is a feature that I would like in Veracode.

It is a SaaS or cloud solution. It is definitely not on-prem. We sign in using a single sign-on.

I was not involved in its deployment. There is no maintenance as such. 

To those evaluating Veracode, I would say that unless you get hands-on experience, it is difficult to evaluate. So, I would advise getting hands-on experience with the tool. I would also advise checking out other solutions such as Fortify and Checkmarx.

Overall, I would rate Veracode a seven out of ten.

The main purpose of Veracode is to deliver secure code on time. We use it to test our application security, at the implementation stage to make sure that code is secure. We do static and dynamic testing, as well as penetration testing with Veracode. We also use it for security threat detection for our enterprise applications.

It empowers our developers to fix security issues and achieve desired outcomes. It's a very secure cloud platform and helps us monitor our web sources for any attack. We have been able to completely secure our enterprise software, which is on the cloud, with the solution. Overall, we have been able to reduce the risk factors for our enterprise software. Also, determining security threats to our application happens faster now with the help of Veracode. The benchmarking capabilities against industry standards and the compliance help us a lot.

Veracode also provides a lot of programming language support and different frameworks are available, which enables us to get things into production much more efficiently. Our SDLC has become much smoother and more secure with Veracode.

And it has definitely helped our developers save time. It helps them with future references because, if they write code one time with errors that Veracode finds, the next time they use that as a reference and don't repeat the mistake. In that way, in the continuous development process, a lot of time is saved. It saves us about 20 percent of our time.

We are able to create more applications now, and code more, while worrying less about errors while coding. Worrying about fixing the flaws in an application is completely taken care of by Veracode, so we are able to focus more on creating new code and developing new applications. Veracode has been a great platform for that particular purpose.

We have also found more security vulnerabilities in our code, which has helped us produce much better applications for our end-users. Most of the time, vulnerabilities go unnoticed by humans. Veracode helps us pinpoint the exact vulnerability, what it affects, and it helps us correct it for future reference.

One cool feature is the static code scan, which is very good. 

Also, the dashboards and the threat insights it provides are very good. The dashboards are intuitive and pretty straightforward, but also pretty detailed.

We get good, actionable insights at each stage, including static, dynamic, and penetration analysis, and it reduces overhead for us. 

It also has compliance monitoring and reporting capabilities that I like very much. The compliance reporting is a great feature because there are a lot of different frameworks and channels, and each unique channel has its individual compliance monitoring and policies. Veracode helps us prepare for all the different challenges.

The false positive rate is a gray area. The number of false positives could be reduced a lot. For each good result, we are getting somewhere around 15 to 20 false positives. We expect false positives, but if that ratio could be reduced to a single-digit number for the false positives, that would be much more helpful.

We are spending some manual effort and time on this because it happens sometimes, when we first scan code, that it says there is no threat. And the second time we scan it, it says there is a threat. Those kinds of positive responses make us do double work. If that was better, it would greatly improve our overall efficiency.

Apart from the false positives, I would like to see more plugins and integrations to make Veracode much more user-friendly for developers and users. Any IDE plugins would make our work faster.

My experience with Veracode has been over 12 to 14 months.

Overall, because it is a cloud platform, stability is not a concern. It's quite stable. To be strict about things, the UI can be very slow. There is downtime now then, and I understand why it happens, but I would appreciate it if that happened less.

We are not going to scale it right now. We have about 18 developers and five or six administrators using the solution, and I don't expect that will change for now. But you can purchase more licenses. It's definitely scalable in that sense.

We have it in a single location only and it is used across three or four development teams in our office.

Veracode support is very knowledgeable and very prompt. The Veracode community is also available, which is very good.

Positive

It's only deployed on the cloud. Although I was not a part of the initial deployment, I know for a fact that the deployment can take a long time.

As for maintenance, there are software updates, but apart from downloading the software updates, there isn't any other maintenance required on our side. It's a cloud platform so it self-maintains.

Our ROI is that we have seen a tremendous increase in the overall security of our enterprise software. It has helped us engage better with our clients and our retention rate has increased about 7 percent. We can't pinpoint that directly to using Veracode, but since we started using it we have seen this retention increase.

The pricing is fair. We are planning to renew for the next year.

It's definitely value for money. I would tell someone who is looking at Veracode not to be concerned about the pricing because the value that they will get, for this price, in the market, is very good when it comes to their long-term plans.

If a proof of concept is possible, I would ask you to try it out first to get a sense of what Veracode is before investing. But investing in this tool is very much needed. With security threats, for long-term purposes, the code-level threat detection and code-level error detection are very much needed by any organization.

I currently work for a Veracode distributor here in Brazil. I work in both presales and post-sales, and I do implementations as well.

We talk a lot about shift-left and this is very important because, when you find problems near the beginning of the process, it costs less to resolve them. In addition, Veracode provides information on how to handle issues and that saves time for the developers. It's also good for a company's image because the problems are found before deployment to production. 

When it comes to developer confidence, the low false-positive rate is very important. If they use a tool with a lot of false positives, they won't believe the reports they get. And that's important because if the teams don't like a tool, they won't use it. Also, we don't have a tool in Veracode for tuning policies because it is an automated process. In most cases, we don't have many problems that require tuning. We just review the model and usually find it's fine.

To me, the principal feature is the CLI (command-line interface) because I put together a lot of implementations using it. Another important aspect is the low false-positive rate because the solution is very configurable. It is as low as 1 percent and that is a huge difference compared to competitors.

And Veracode's ability to prevent vulnerable code from going into production is the main selling point that we talk about with our customers. It is one of the most important features. 

I have also used the Software Bill of Materials (SBOM) feature in some implementations. It's important because in modern software development, people always use third-party components but they don't necessarily see the problems that they may contain. If you don't use the SBOM tool, you won't know the status of all these third-party pieces. And it's very easy to create a report using this feature because it is made in the Veracode portal with a graphical interface or, in the CLI, it's just one line of code.

Another important factor is the policy reporting for ensuring compliance with industry standards. We generally work with big companies in Brazil and, for them, maintaining the required standards is imperative. The policies can help achieve those standards.

We can also involve Veracode at every stage of the development process. It has a lot of tools to help with security.

Veracode has a new tool to automate the fixing of flaws, but we don't use it. Generally, the orientation that Veracode provides for resolving problems is good and developers can use it to handle the problems and make things work.

In the last month or so, I had a problem with the APIs when doing some implementations. The Veracode support team could be more specific and give me more examples. They shouldn't just copy the URL for a doc and send it to me. I am a distributor and a Veracode solutions expert, so if I create a ticket that means I have read the documentation. It would be better if they sent me more examples instead.

I have been using Veracode for two and a half years.

It has great stability. It uses AWS and I don't recall any downtime.

The license provides for scalability, so it's just a matter of connecting more users. We don't need to think about it, which is good.

Veracode is a SaaS solution. We just connect it to the customer's environment. It's very simple. We have plugins for the most popular CI/CD tools and, for other tools, it's one or two lines of code to implement. Generally, we just need one person who has edit access to the pipeline. So one or two people are sufficient to implement it.

There is no maintenance of the solution because it's SaaS.

The commercial guys take care of the pricing, it's not something I'm involved in. But the licensing is simple. The SAST product has some rules that some customers have found a little confusing, but overall, the licensing is simple. 

The impact that Veracode has on security posture depends on the size of the company. Usually, large companies have standards in place, and that makes code development more secure than it is in small companies. For small companies, Veracode can really make a huge improvement to the SDLC.