Veracode Reviews

We use Veracode to scan our products for code security. Our company also uses Veracode's data security module.

Veracode enables us to build a strong data security layer in our platforms. We can increase customer confidence in data security. Some PCI/HIPAA compliance issues were impossible to resolve without Veracode. I rate Veracode's compliance features a nine out of ten because it provides detailed reports after each scan about potential regulatory violations. 

The solution's static analysis streamlined our DevSecOps process, which previously involved a lot of manual work to trace code vulnerabilities. Veracode reduced our DevSecOps team's time on these tasks by around 20 to 30 percent while drastically improving code quality. 

In the past, we also performed a scan using third-party vendor partners that took days to complete. Veracode conducts a quick dynamic scan each time a new iteration of code is built and deployed into the environment. It gives us an immediate result. We can deploy our products much faster, and there are no delays or surprises after the product is built. We aren't wasting time from development to deployment.

Our overall security posture improved, but we've only been using Veracode in production for less than two months. We expect a massive improvement in the next six to eight months.

The false positive rate is typically less than five percent. False positives can affect how developers use a solution. If we see too many false positives, we might start ignoring alerts. Sometimes the developers lose confidence and may take the work lightly. It isn't an issue currently because the rate is under five percent. 

Dynamic scanning is the most useful feature.

Veracode's ease of use could be improved. I would also like to see more online videos and tutorials that could help us understand the product better. It would also be helpful if Veracode created a certification program for DevSecOps staff to learn about their product and get certified. This kind of training would raise the company's profile within the industry. 

We have used Veracode for about three months. We did a proof of concept for one month, and it has been in production for two. 

I rate Veracode a ten out of ten for stability. We haven't had any issues.

Veracode is scalable, but we haven't scaled it up. However, I expect it will work well when we do.

I rate Veracode support a nine out of ten. Their support system is excellent and highly engaged.

Positive

We tried some Indian solutions and used third-party scans for static analysis, but Veracode is the first time we have fully integrated an enterprise code security solution.

Veracode is a SaaS solution. Setting it up isn't simple, but it isn't too complex. We deployed Veracode with a three-person in-house team. Veracode requires a decent amount of maintenance. You must perform periodic validation checks on how the engine is performing. 

You have to compare the price to the potential cost of data security threats, which could devastate your reputation and revenue overall. We do not doubt that the investment is worth it. It's too early to calculate an ROI, but we anticipate a reduction in overall DevSecOps costs. 

Veracode is priced competitively for our market. 

We evaluated a few other vendor partners and decided to go with Veracode because of the various features they offered.

I rate Veracode a nine out of ten. If you plan to implement Veracode, your DevSecOps should adopt modularized-based code segregation for better visibility into how this ecosystem works. It's crucial to be clear about the solutions you are procuring. There are multiple options, and not everything will work for you. Understanding your requirements, what your customer needs, and what will work best for your product is essential. Purchase the solution most suitable for your product and your company. 

You should also maximize Veracode's benefit by working closely with the tech support team. We don't use many of the features we have procured. Setting up an ongoing review mechanism with Veracode technical support is critical to better understand the product and ensure you get the maximum return for your investment. These are some points that company leaders need to discuss with their DevSecOps and DevOps teams.

Our primary use cases are uploading and assigning scans, uploading compiled codes into the sandboxes, and searching marks to determine whether scans have been completed.

We have multiple locations, teams, and endpoints; we're a worldwide telecommunications company with over 2000 internal and external apps. Some apps communicate from the outside to the inside, but every app goes through Veracode.

We have to scan about 2000 apps, and we're already at 366 scanned within the year's first two months. Additionally, the company has been using Veracode for years; both are testaments to the solution's efficiency.

The platform provides visibility into application status at every phase of the development- Veracode Static Analysis, Dynamic Analysis, Software Composition Analysis, and Manual Penetration Testing throughout our SDLC. In terms of DevSecOps processes, the solution makes them quicker and smoother, with less confusion.   

Veracode positively affects our organization's ability to fix flaws; we have a particular app at the moment that failed the scan twice due to its vulnerabilities. Without the solution, we likely wouldn't get that.

The solution has positively affected our organization's overall security posture and will continue to improve it. 

I like the sandbox, the ability to upload compiled code, and how easy it is.

It's also straightforward to find scans we've uploaded. 

The solution's ability to prevent vulnerable code from going into production is incredible. I have done several consultations and remediation calls with the app team, and Veracode catches almost everything. It picks up the same issues in everything we scan, and we've done a lot of retests that way; the tool is very proficient in this area.  

Veracode helps our developers save time; it's a straightforward product that shows us the vulnerabilities and allows us to relay them back to the developers. This is faster and more efficient than staff going through the code manually. The solution is like having a proofreading app for our code rather than using a proofreader.  

The sandbox could use some improvement; when creating a sandbox, it requires us to put the application name in twice, which seems unnecessary.

We've been using the solution for a month and a half. 

Veracode is very stable; unlike many programs and apps, I've never had a problem with it.

The solution is scalable; we're a global telecom company, and we use it to scan every one of our over 2000 apps. 

The technical support is excellent. 

Positive

I'm unfamiliar with the solution's pricing, but it must be worth the cost from a company perspective, as we have been using it for years and have no plans to move away from it.

The product was in place long before I arrived at the company, so I don't know if they evaluated other options.

I rate the solution 10 out of 10. 

I recommend Veracode to any company looking for this type of platform. Though I need to become more familiar with competitor products, I like going into programs and clicking around. Even if I don't initially understand something within Veracode, I can keep going and make sense of it. I updated my resume to include my new experience with the solution.

Veracode reduced the cost of DevSecOps for our organization; we upload a scan, run the test, get the vulnerabilities, and set up a remediation meeting. This makes communication more manageable, and the information is more visible, as all our staff can access the scan results. In several instances, we've consulted with employees from the Veracode side, and they've been very helpful in walking our app team and testers through whatever vulnerabilities we've had issues with.  

We used Veracode for code scanning and source composition analysis.

Veracode can block vulnerable code from going into production.

The SBOM is a good option for companies that are asked about their SBOM.

The SBOM helps manage our risk.

Generating SBOM reports is not difficult, but setting up the necessary infrastructure for analysis takes time.

The policy reporting is incredibly robust.

Veracode provides visibility into application status in every phase of development.

The source composition analysis had very good reporting.

Veracode's long scan time for vulnerable code can hinder productivity. There is room for improvement in this area.

Veracode produced a lot of false positives.

Veracode's ability to fix flaws is less sophisticated than that of its competitors. For example, Veracode's static analysis scanning workflow for flaws is not as highly developed as Checkmarx's or Snyk's. Veracode would often provide incorrect sources and fail to identify the source of malicious user input coming to the team.

The process of bundling binaries or code for scanning could be improved.

I trialed Veracode for two weeks. 

In our short trial period, we did experience some stability issues.

Veracode scales sufficiently.

I worked with Veracode's technical consultation staff and found the agent to be incredibly knowledgeable and sophisticated in their use of Veracode, as well as in vulnerable load patterns.

Positive

The deployment was complex.

Ten people were involved in the deployment.

We used the experience of engineers who had used Veracode in the past, as well as feedback from Veracode's engineers.

Veracode's pricing is competitive.

I believe Veracode would be willing to negotiate decent terms for organizations that are concerned about the pricing.

We also evaluated Checkmarx and Snyk, respectively. This puts them at a slight disadvantage in terms of identifying execution paths and their ability to comprehensively show how vulnerable code is executed in our solution.

I would rate Veracode six out of ten.

Once Veracode is fully configured, the maintenance should be relatively minimal.

Veracode's best advantages are detailed reporting for industries such as government work, or other industries that may require exceptionally detailed reports or secure security verifications. However, I would suggest that people look out for the accuracy of results and the usefulness of findings on a large scale. Additionally, Veracode has a difficult-to-navigate user interface.

We use Veracode to test for errors in the code in the applications we are building within our service pipelines.

Veracode assists in preventing vulnerable code from entering production. It is essential to ensure that our applications entering production are free from errors.

It has assisted our organization by providing a report that we can share with our developers, identifying vulnerabilities in their code. This enables them to address the issues before the code is put into production.

Ever since the implementation of Veracode, I have noticed that the processes for rectifying the issues in our pipelines have become much easier.

Veracode helps our developers save time. The solution has simplified the coding process for our developers.

I would rate Veracode's impact on our organization's overall security posture as nine out of ten. The solution has been beneficial to us daily, and we haven't encountered any issues with their solution so far.

The capability to identify vulnerable code is the most valuable feature of Veracode.

There are times when certain modules cannot be scanned automatically, requiring us to manually select these modules and initiate the scanning process on our side.

The vulnerability report has potential for improvement and should encompass more detailed information about the vulnerability, rather than solely identifying it.

I have been using Veracode for three years.

Veracode is stable.

I believe Veracode is scalable, but I am not certain.

I rate Veracode a seven out of ten.

I recommend Veracode. The solution only requires a one-time configuration into the pipeline and the testing is done automatically. 

Integrating Veracode with our pipelines is an easy process. We simply use VML files and the integration is done automatically for us.

We currently have approximately 55 microservices, composed of various teams. Altogether, there are about 170 people utilizing Veracode.

I recommend becoming as familiar as possible with Veracode before using it. Even watch online tutorials to ensure that the deployment goes as smoothly as possible.

We use software composition analysis and static code analysis. We use a software composition analysis component to identify third-party vulnerabilities in our software. And then we use the static composition analysis to analyze flaws within our application on the front-end and the back-end.

We also use Veracode for static composition and software composition analysis and static code analysis because we need a way to identify vulnerabilities and flaws in the application and relay that information to our developers.

The manual penetration testing is not really used as much.

Having a centralized view is probably one of the most important aspects of the platform. We need to have some way of looking at all the flaws and all the vulnerabilities in one centralized view. 

Having this has improved our visibility into application status. It's very important because it's the way that we communicate flaws to our developers. And without it, we'd be missing out on an opportunity to explain what seems to be fixed and what needs to be managed.

Veracode helps us to reduce security debt. We're finding that issues like cross-site scripting injection, injection, and those sorts of vulnerabilities are getting addressed more quickly. And we don't really have to worry about where those are, whether that's being fixed or not because we can see them in the platform and we can see the score increase every time those get fixed.

The solution's ability to help create secure software is very valuable. We're a zero-trust networking company so we want to have the ability to say that we're practicing security seriously. Having something like Veracode allows us to have confidence when we're speaking to people about our product that we can back up what we're doing with a certification, with a reputable platform, and say, "This is what we're using to scan an application. Here's the number of vulnerabilities that are on an application. And here's the risk that we're accepting."

Using Veracode SCA helped increase productivity for our security and development teams. Every week we do a vulnerability report and we look at the flaws that were reported by Veracode. Our process essentially goes by meeting with developers, looking at the report, finding out which flaws are the most important ones to fix first. After we've done that, we set up a sprint and we have developers work out two to three of those tickets until they're complete. We've done that now for about six months. We increased our application score from a pretty low level all the way up to Veracode Level Three, so above 90. We don't have any high severity or high vulnerabilities and we don't have any mediums and applications anymore. Following that process is extremely helpful. We also utilize the Veracode dashboards as well. We use the Veracode dashboard to monitor our progress in triaging flaws. Then we want to make sure that things are actually getting fixed. And then we can count those metrics by looking at those dashboards.

It has definitely improved our security posture and communication with developers. I think that now developers are taking our security seriously, whereas before it was something that was always important, but there was no real way of actually tracking what was getting done. Now that we have the tool that we can use to track what's getting done, we're making objectives and setting goals, and working towards this.

We use the screening process to help our security professionals and developers fix flaws in the code. It's probably the most utilized security tool that we have at our company.

Scanning with Veracode SCA reduces scan times by a few seconds. It also helps to increase our fixed-rate by 14%.

The scanning process helps to significantly improve our standards and best practices.

The mitigation recommendations provided by the scanning engine of Veracode are important for developers to understand. They need to know how to fix things. So just giving them a blank vulnerability and saying, "this is the issue," doesn't really help. They need something that tells them how to fix the flaw and where to fix the flaw.

Veracode helped us with certification and audit. We're working towards Veracode Level Four right now, we've achieved Veracode Level Three status, and we're looking forward to reaching the next certification level. The goal of that is to eventually have all of our third-party vulnerabilities and mitigate them so that we're in good standing and we don't have anything coming from a third-party library that could possibly compromise our application. Once we get to that fourth certification Veracode Level Four, that would be great.

The JIRA integration automation aspect of it could be improved significantly. We want to have a way to create tickets that are going to allow people to work through those flaws that we're finding. We don't want people to feel like they're missing out on something or that they're not following directions in the right way. And we have a process in place where there's a set of tickets and people can work on them. It just seems that people are more focused. They tend to pay attention to what they're doing and there's accountability. So having a more rigorous JIRA integration would be very helpful.

I have been using Veracode for over a year. 

It's a very stable product, and I think that the team at Veracode is constantly putting in more effort into trying to make it into a better platform. They take feedback seriously. They constantly improve the platform. They are working towards adding features that developers are requesting. So it's always changing, there's always something new being added to it, which is very good.

Large enterprises are probably following a very different practice from what we're following. I think that smaller organizations are going to have an easier time using something like Veracode because of the flexibility of the different API tools that they have available. An enterprise might have a more complicated time scaling it. The issue with that is that the enterprise is probably going to use a proxy and having to deal with the networking issues, it's going to become very difficult for that to scale. However, in a small company, those situations are mitigated pretty easily by getting two or three people together. So we move through those very fast, we're extremely agile. We're always forward moving. We're always rapidly developing. I think each company has its own specific way of handling scalability, it's always been easy just because we're a very collaborative team. We know how to work with each other and we're always receptive to each other's feedback. I can't really speak for other companies, but I can tell you that we find it pretty scalable. That's really just our culture though.

I run all of the administration and I direct people in what needs to be done. So, that's about it. In total, about seven people are really using it.

We are using it to its fullest extent. Even the manual penetration testing aspect of the platform is very useful. The manual penetration testing aspect of the platform is something that would be nice to incorporate because the cost is significantly less than other security companies. For example, InfoSec is about $3,000 more than Veracode, for any organization that wants an all-encompassing security platform. But what we get with Veracode is a platform that provides software composition analysis, static code analysis, Docker Container Scanning, manual penetration testing results, and dashboards that show the progress for moving through all of those issues. And that's probably the most important aspect of the platform.

Once they introduced the prebuilt dashboards that really reduced the amount of friction with upper management. Typically, my mentor said that almost all issues in any business organization come down to personal relationships and opinions, so when Veracode introduced those dashboards, it removed the ability for people to give opinions about what was being done and what wasn't being done.

We're driven by facts as people, so we can look at those metrics and say, "This is what's actually getting done." And there's no ambiguity. Then really that just removes all opinion from any sort of conversation.

They monitor all of the conversations in the platform on the Veracode community. My rep is very responsive. He answers community questions. He votes up really important questions and the issues are getting answered quickly. That's the most important part because then the business, if we run into an issue on Monday and we spend two or three days trying to debug the issue, we haven't figured it out. You can go to a place and actually get an answer. Whereas some organizations try to use a tool that's custom made and they're going to run into an issue where it's intractable. It can't be solved. However, with Veracode, customer support has always been able to find some sort of solution. Anytime I've ever had a problem, it's always been resolved 100%. There's never been a time where it's gone unresolved. I can't say that about every tool.

Positive

We used a combination of things. We use Sonar, Veracode, and JFrog Artifactory just give us a diverse picture of what vulnerabilities are in the application and how we can fix them. Veracode seems to always provide the best feedback. Other platforms really aren't at the same level, they provide reports and those reports are usually very static and they're not very informative. Whereas with Veracode, the platform is very interactive. You can tell that it was designed for users and Sonar is the same way. Sonar is very static. Even in Bitbucket, you can now scan your code with Snyk.

The initial setup was pretty straightforward. The best way to handle it is to get the Java JAR file for the upload, use the terminal on any given laptop, like a Mac or a Linux, and create a small script that uploads a couple of JAR files up to the platform.

Once that's complete, once you have a proof of concept that works with just a couple of lines, then the next step is to move that into a pipeline. Preferably something like Jenkins. Jenkins allows people to run scripts. You can just run Dash straight in a pipeline. Once you have that setup, you pull all that down into the Jenkins pipeline.

Once that's done, you now have all of the binaries that need to be scanned, and you can set the pipeline to run a scan on a weekly cadence. If you want to take it a step further, you could actually move that into a build pipeline and really follow shift-left practices where you're moving the security aspect of the development cycle further up the pipeline. Flaws are being found before they go into production rather than after they're in production. So that would be my recommended approach for working through that problem.

I went through and I actually added container scanning now, so in Veracode at this point, we're running software composition analysis, static code analysis, and on top of that Docker container scanning. So it's a pretty big product. The thing that would be more helpful is better Jira automation since that aspect keeps track of what's getting done. Then essentially you have a full pipeline setup that automates the generation of tickets, scanning, and just takes care of itself. It's a self-service security tool.

The setup took around a week.

We have absolutely seen ROI. We have buy-in from upper management and developers. We have a lot of people who are very excited about what we're doing and we're working towards that.

We've personally seen a major decrease in vulnerabilities and we've seen an increase in awareness for security. So people actually have conversations about security now, and they're taking it seriously. It's no longer an issue that gets swept under the rug. I think a lot of smaller organizations would benefit from having a tool that showed them what is being done, as opposed to someone just saying this is what we're doing if they can see the results that really improve. So, once we added that, we saw a decrease in vulnerabilities, we decreased our third-party vulnerabilities from a pretty significant level and attended the three down to single digits, which is huge for any organization.

The thing that I'll go back to is when one of my mentors said to me "Evan, security is a critical aspect of any organization. People don't always believe in it. And the best way to sell it is to explain what could go wrong." So when we compare what could go wrong, having a third-party vulnerability, like a graph library, such as the one that Equifax used, which led to a $3 million lawsuit, and their reputation was destroyed. When you compare that to paying $8,000 for an application, it's a no-brainer. Once the reputation of an organization has been tarnished, that's it. The whole thing is completely over. Really everyone loses faith and once people lose trust, it's almost impossible to get people to believe in a vision.

It's definitely worth it considering what could go wrong. The DevOps Mantra is to always be prepared for what could go wrong. Most things are going to go wrong.

Having a static cost gives people confidence. And once people start using it, if the price changes, then that's going to be dependent on how much they're getting out of it.

I definitely looked at other security platforms, but Veracode seems to have the most performance.

With Xray, essentially you upload your builds, once you've uploaded your build, you index it. And after you index it, it'll give you a security report. Now, the thing with that is you have to make a policy, you get a report, the report comes out as a PDF and the PDF doesn't really tell you how to fix it. It tells you the fixed version.

The first path of that really was just creating a pipeline that ran a curl request over to Artifactory to generate that PDF. And then on Monday mornings, that was automated. So management can go in, look at that PDF and say, "Oh, okay, these are the things that are happening in our application." Whereas Veracode, is fully automated, it runs the full scan and then creates the tickets. So that's the contrast. 

My advice would be to start with meeting with people from Veracode. Once you meet with the team from Veracode, the best way to handle that is to start asking questions and identifying the things that would be of value so that an organization doesn't start out by paying too much money. Then you're moving away from that being too scared of what the outcome is. I think once they go in and they have a meeting with people and they can actually discuss what they want to do, that's the first step towards planning out how the platform will be used.

I would rate it a ten out of ten. 

We use Veracode for SAST and SCA. We are moving towards dynamic analysis as well. We use it now to scan our artifacts and reports, and very soon we are going to use the Veracode plugin for our IDE to have immediate results for security analysis purposes.

Before integrating Veracode, we were getting so many security vulnerabilities on higher branches. We integrated it to fix that. It prevents vulnerable code from going into production. We have fewer vulnerabilities and bugs.

We are getting the security vulnerability results on a day-to-day basis. Our pipeline is running every hour, and we are getting early feedback, giving us a shift-left approach. On a daily basis, we are able to rectify issues rather than find them in production or pre-production.

It provides visibility into application status at every phase of development. We have our initial feature branch, or low-level branch, and then we commit. The pipeline is running, so we will know about things immediately. This is quite valuable for us.

The SCA, agent-based analysis, is valuable. SAST and DAST take time, while this is quite fast. It gives the results very quickly. We have implemented it into our CI/CD pipeline.

Another aspect that is quite good is the policy reporting for ensuring compliance with industry standards and regulations. Initially, we were using freeware tools, but we are quite impressed with how Veracode gives the most detailed and latest vulnerability and security information.

I have been using Veracode for almost a year.

It's a stable solution. There are no problems. The stability is a seven or eight out of 10.

We connected with Veracode's support a couple of times, and we got a different answer each time.

Neutral

We used to use Snyk and other tools. The switch to Veracode was an enterprise-level discussion, and I was not involved.

It took some time to see the benefits, around six to eight months.

Although Veracode doesn't scan source code, only binary code, I'm not concerned because we can scan the source code with an SCR tool.

Veracode hasn't yet helped our developers save time. Their development time has increased because, initially, we were only taking the security and vulnerability issues on the higher branches. Now it is on lower branches as well, so the development time has increased. In the local branches, if a report indicates something has not passed, we are not allowing them to merge their code into higher branches.

We have it deployed in a multi-cloud and hybrid environment. We are using AWS, Azure, and VMware vSphere.

Overall, I would recommend Veracode. It is quite helpful.

We use Veracode for product testing.

We exclusively utilize Veracode for a product used in our consulting services, which we provide on a licensing basis.

We deploy Veracode in the cloud and can utilize any cloud provider, including Google Cloud, Azure, and AWS.

Veracode's ability to prevent vulnerable code from entering production is both effective and thorough.

The SBOM feature is straightforward, making it easy to create reports. The SBOM feature is crucial to our organization because we can utilize the report to effectively present a product to customers, demonstrating its viability and security. 

Veracode has helped us improve our secure coding practices, which, in turn, has boosted our confidence in selling our products.

We were able to experience all of Veracode's benefits for our organization within the first year.

Veracode helps to provide visibility into the application's status at every phase of development. This helps us ensure that our code is secure from the start, saving us time that would otherwise be spent sorting through bugs at the end. 

Veracode's false positives are beneficial for our developers as they assist in organizing and understanding the implications of these false positives.

Veracode has helped our organization address flaws by identifying our mistakes. The initial usage of the solution was challenging due to the large number of code lines that needed to be read, but it became easier over time.

I find all the features valuable, especially dynamic scanning, static scanning, and software composition analysis.

When we engaged Veracode to conduct the manual penetration testing, they were extremely slow in completing the task and delivering the report, causing a delay of two to three weeks for us. The duration of the manual penetration testing process needs to be improved.

The cost of the solution can be reduced.

I have been using Veracode for two and a half years.

Veracode is a stable solution.

Veracode is scalable. Veracode is used by around four people in our organization.

The technical support response time is slow. 

Neutral

The initial setup is straightforward. Veracode is a virtual platform, so all we need to do is upload the code, and it will be ready to use. The deployment was carried out by one of our senior product managers.

The implementation was completed in-house.

Veracode's pricing is on the higher end, but it is acceptable.

We evaluated multiple solutions, including BlackBox, three years ago. However, Veracode was the only solution that had all the features and also had a proper certification system in place. The other solutions did not provide a comprehensive suite. For instance, they offered static scanning but lacked dynamic scanning, whereas Veracode provided both, along with a training module.

I give Veracode an eight out of ten. The solution is comprehensive, albeit a bit costly.

We have not observed any impact on our policy reporting and compliance with industry standards and regulations since we started using Veracode.

The false positive rate is slightly high, but we are able to manage it. The false positive rate of the static analysis has not affected the time we spend on the tuning process.

Veracode has not affected our developers' time significantly, as the response rates for certain tasks have been slightly slower.

I recommend conducting a cost analysis and rate of return evaluation to determine whether the solution is worthwhile. I highly recommend using Veracode for complex products, but it may not be as valuable for simpler ones.

Veracode does not require any maintenance.

I have learned that it is necessary to plan our strategy for the product and security prior to using Veracode.

For every application we develop, we want both static and dynamic security scans done before deploying them.

The solution helps us to verify if our code is error-prone or has any OWASP security flaws. It has also reduced our scanning time, but it's difficult to say by how much.

Also, the scanning process helps a lot when it comes to improving standards and best practices. If we scan multiple times and we get the same warnings again and again, it helps us to identify that there's something we need to rectify, overall, in our standards and processes.

In addition, the solution has helped to increase our security and development teams' productivity.

On the whole, Veracode has improved the quality of our code and the end product. It has reduced our security debt by 40 or 50 percent. It helps protect our application from external attacks.

It scans for the OWASP top-10 security flaws at the dynamic level and, at the static level, it scans for all the warnings so that developers can fix the code before we go to UAT or the next phase.

It also gives us a centralized view of issues and that is important because security is key to any application. We want to identify the flaws as early as possible. The centralized view means that everybody can see the report and remediate accordingly.

I would like to see improvement on the analytics side, and in integrations with different tools.

Also, the dynamic scanning takes time.

We have been using Veracode for more than six years.

It's a stable product.

We have about 30 to 40 developers using the solution. We use it on a weekly basis but I can't comment on whether we will increase our use of it. That depends on our product.

Technical support is average. They take some time to respond.

Neutral

We didn't use anything prior to this.

The ROI for us is that it improves our code quality and helps remove security flaws. It is an essential tool.

It does root analysis, but fixing things is up to us. Also, it doesn't require much maintenance.

I would highly recommend it.